Attributes for which a user has 'write' permission, can technically be changed at any time by a user client side. Even if there are not pages, the user could use the client API to achieve this.
Attributes for which a user has read permission can be read from the system at any time (you can simply fire an XPATH query from the client API)
If Attributes are read-only the user cannot change them, even if the values are transient and only stored in the client. Mendix will use a kind of signature to verify that the client did not manipulate the object state.
I once had a similar question w.r.t. NPE: https://forum.mendix.com/link/questions/82122