We just discovered that a user with viewer-uploader permissions can unlock files which our team believes is an unacceptable security flaw. The viewer-uploader level of security is required for a user to create a folder within a folder that we have granted them access to, but other than that level of editing our external invited partners should not have the ability to manage a security feature such as unlocking a file or folder.