If you give a user read-only to / and read-write to /travel then that user cannot delete components in the travel site because the action needs to set the page editor status.

Recreate issue

• In the Security app, edit the role travel-demo-editor.
• Set the ACLs for website:
  
• Log out.
• Log back in as user eric.
• Attempt to delete component from the travel site.
• Observe the error. delete-error.txt

Expected
The user should be able delete a component with this ACL configuration. It's a logical configuration for system admins. The fact the delete action needs to modify the root node should be handled another way. Perhaps in system context or with a reorder of operations.

Workaround
Use read-write on / and use deny on the sites you want to disallow.