I have the case where the user should be allowed to edit a certain DX field within the add form but it should not be possible edit the field later on. Currently the supermodel of the field has a security:write-permission="cmf.ManagePortal" which implements the required behavior for the edit form but not for the add form.
I'd say as it is now write permission should be valid for add forms too and this is a bug and needs to be filed.
Ad your special case: This case would need a difference between add-permission on field level and edit-permission for edits. This is a valid case, but i fear nobody had this in past and so its not implemented.
Take a look at the collective.elections package as we had that use case there before.