The browser of the user who is loading the page and requesting the content is the literal client that's performing the action. It's also responsible for executing any client scripts, UI scripts, client-side UI actions, processing the UI policies and applying UI policy actions. This includes controlling whether fields are mandatory, read-only, or indeed visible at all.
This can seem like an effective means of protecting content; for example, by hiding a field if the user doesn't have the appropriate permissions, or even setting it as read-only using a client script or UI policy. However, it's important to realize that any client-side measures can be overridden by the user!
Anything which really needs to be secured so the user can't see or modify it should be secured using ACLs (security rules). Data policies are another option, and can be used as UI policies on the client as well. This way, data policies can back up their client-side component, making them more secure and effective...