Bug summary: Commerce.module provides a commerce profile entity type and a default bundle for billing information. Contributed modules like commerce_shipping can provide additional bundles. CRUD permissions for these bundles are configurable on the admin permissions page. However, these permissions are not enforced when commerce_customer renders the profile form on the applicable checkout pane.
Use case: I am using commerce_addressbook to allow a user to select from one of his existing profiles, or enter a new one. I'd like to disallow the user from editing the existing profiles (they are imported from an accounting system and have external keys attached to them) lest they think editing the address on file will result in an update to the external data source.
Steps to replicate: For a user with existing customer profiles on record, deselect all but "view own [bundle] customer profiles" permissions for the user's role. Expected behavior would be that the profile is visible/usable, but not editable. Instead, user is provided a form and edits are recorded to the database on submission.
Note: A permissions check in the above code would have to render an alternative to an editable form; that might be a form with all the applicable fields disabled, or (more likely) a rendered entity view of the profile.