Hi, yes there are a lot of read ACL's for sys_attachment but these are primarily table specific.
If 1 ACL elevates to true then access will be granted and you cannot reverse this by adding a 'new' deny ACL, meaning you will need to identify and alter (or disable) any sys_attachment ACL's that are evaluating to true (for the related table) and you should be able to identify specific ACL's via security debug.
Once you have a smaller subset of ACL records relevant to your related table (some of the table specific evaluation may be via script within the ACL), you will need to review each ACL and then update to ensure your admin users are excluded correctly.