Documents and metadata in packages received are not governed by the security restrictions of the receiving site until the data has been archived in the receiving site's system.
Access to the Holding Document Type, which is used to temporarily store the data in packages before the package contents are archived, should be restricted for security reasons.