I believe that this is expected given the specification of `guix
environment`, which is its chapter in the manual. [0]

It says, "For containers, the default behavior is to share the current
working directory with the isolated container and immediately change to
that directory within the container. If this is undesirable, --no-cwd
will cause the current working directory to not be automatically shared
and will change to the user’s home directory within the container
instead."

For this command, the word "share" means that the shared directories
will be read-write.

Did you use the --no-cwd option? If not, were you able to access any
files outside of the current working directory of the `guix environment
...` command invocation?

[0] https://guix.gnu.org/manual/en/html_node/Invoking-guix-environment.html#Invoking-guix-environment