Does anyone know if this is by design, or how this process can be denied?
This is by design in the fact the user has the ability to READ the content. Once a user has the ability to read the content you can’t prevent them from sending something on.
It would be pointless to be able to block a user from forwarding information. As he could just retype it.
This does not defeat the purpose of Reviewer Access.