I discovered this because I was using the ##user## field in the database activity.
##user## creates a link to the course profile of the person who posted the database entry.
In this instance, the teacher of the course posted the entry, and a guest to the course is reading it.
Now, I have prohibited all permissions connected with viewdetail, participant, and profile in the auth user, guest, student and teacher roles.
Yet seemingly any visitor to the course can click the ##user## link and get through to the teacher's course profile.
From there they can click to the full profile.
Also pasting the Teacher's full url straight into the url bar results in the guest or student user being able to see the profile.
HOWEVER, all the other profiles seem to be protected.
I confirmed this behaviour on the Moodle.org sandbox demo. Sam Student can always see Terri Teacher's course/full profiles, no matter what permissions are prohibited.
Can someone help me to understand what's going on?
Is there something about being a teacher is a course which always allows the participants to view your profile, no matter what permissions are set?
Thanks.
EDIT: Oh my goodness...
https://moodle.org/mod/forum/discuss.php?d=344795
What a horribly insidious, anomalous permission-override that is.