Hi @Luke - Thanks for posting your question in here.
In the POSIX-style model used by Data Lake Storage Gen2, the access control lists (ACLs) for an item are stored on the item itself. Therefore, in order to retrieve the access control list of a directory, a user would need to have read access to that directory. If a user does have read access on the directory, they would ideally be able to retrieve the access control list for that directory.
So, I believe this is correct i.e. the user will be able to call that method to view the ACL however unless they are part of owner and owning group, they won't be able to make any updates to that. This could be also because even internally too the call would be made to check whether a user has permission to perform a particular operation further or not.
Hope this helps!