When you deploy HDInsight as a resource, and you add a user to the resource in portal with READ access, they have way more access than you might expect. My tests are on the SPARK cluster type WITHOUT enterprise security package. By connecting to the cluster through visual studio 2017 after READ access only is granted, the user will be able to:
Run queries against all data that HDInsight has access to.
Run queries that allow writing of data to any tables that HDInsight has access to - e.g. insert INTO TABLE test VALUES ('microsoft','access');

Clearly, this should not be possible with only having READ access. I have opened MS Support ticket on this, without a useful response or understanding from Microsoft side on why this is a problem.

An example of why this is a problem:

Imagine you have sensitive data in your data lake, consumed by HDInsight.

A user has read access to HDInsight because they monitor all Azure resources and have a subscription level READ permission.
They now have READ and WRITE access to all of the sensitive data in your data lake.