The IAM file opens are not picked up by the ACF2 open intercept so the SAF AUTH call from SVC019 is being ignored so no validations will be validated essentially no security for IAM file opens. Adding the SAFDEF that will force the validations if they are issued by IAM.
INSERT SAFDEF.IAM MODE(GLOBAL) ID(IAM) RB(SVC019) -
RACROUTE(REQUEST= AUTH CLASS=DATASET REQSTOR=IAMAVSOC) REP
After adding the above SAFDEF ACF2 dataset access rules will be needed to IAM file opens.