This one is hard to explain, but ill do it thru an example:
Lets say I set the frontpage in the conf to be 'Frontpage'. This will ofcourse cause the top namelink to go to site.com/Frontpage.
Now, then I set an ACL restriction on this page. If I do it thru the normal interface, the pagename is automagickly converted lowercase, and the actual article exists lowercase. (ofcourse) So, what we have now is that 'frontpage' has an ALL restriction e.g. only read allowed. However, the top link somehow bypasses the ACL, bringning up the page 'Frontpage' with the contents of 'frontpage' but using the ACL rules for Frontpage, thus allowing edits if the admin didnt already think of this.
Proposed solution: when reading the startpage from the conf, howabout some checks that convert it lowercase? Otherwise a slopyp defaultinstall could end up with a frontpage editable even tho ACL says it cannot be edited.