I don’t know what is wrong but mongodb ignore restrict read and write roles.
I created DB “TESDB” and user “TestReadUser”

{
    "_id" : "admin.TestReadUser",
    "userId" : UUID("88c52a39-6834-4ce7-9232-de106a31e800"),
    "user" : "TestReadUser",
    "db" : "admin",
    "roles" : [
        {
            "role" : "read",
            "db" : "TESTDB"
        }
    ],
    "mechanisms" : [ "SCRAM-SHA-1", "SCRAM-SHA-256" ]
}

But this user can create,drop, write etc ..
List of DB roles

Authetification in /etc/mongod.conf is enable

security:
  authorization: enabled
  keyFile: /mongo-security/replicakeyfile.txt
  transitionToAuth: true

What is wrong, please ?