When user has read-only permission to host, it's not visible in configuration, so it's not possible to export it. Although using API it's possible. This applies not only to admin users, but regular users and guests, that have no access to configuration, but still are able to export hosts with all the (sensitive) data.
a) Allow frontend to export read-only hosts?
b) Prohibit exporting read-only hosts via API?