We have been working on implementing tag security through our projects and noticed when you have an OPC tag with security set properly on it, it works as expected, but only if you attempt to write to it directly.
However, if you have another tag without tag security set on it write to the first tag via tag event script, you can then basically circumvent that security.
This isn't a flaw, as far as I know this is as designed, the user isn't initiating the write to the secured tag, the system is. Tag Change scripts occur outside of the normal client security system.
That's my understanding of the current state as well. However, I believe a revamp to make things more explicit and auditable throughout is also in the works.