Custom Field permissions - Order of precedence

I think I know the answer, but need to verify:

I’ve been tasked with automating an RMA process in RT. My plan was to use a Custom Field that the system can set, but users can view to track the status of the RMA. When I go to test it, the user is able to set the ‘restricted’ Custom Field. When I look at the permissions on the queue, the users are able to modify Custom Field values, but I’ve denied the right on the Custom Field itself. Is that what is causing the field to be editable?