In 1.8.4 (and earlier versions), guests (or other users with read only permissions) can acknowledge triggers that they can see, even without read/write permissions for the host. It's possible that this was by design, but that defies the Law of Least Astonishment, since giving someone read-only permissions shouldn't let them make any updates/changes.

I have a patch (attached) that checks for read/write permissions for acknowledging triggers (on tr_status.php and acknow.php).