Your UI Policy needs to take into two conditions: make it read-only if:
- it contains content
- the current user doesn't hold an override privilege
If both of these hold true, then it becomes grayed out.
By the looks of things, you may need some scripting to determine the roles - so perhaps two ACLs that covers the two permissible "write" situations would be easier:
- field currently contains no content and the user holds a fulfiller role (or whomever can make changes)
- field contains content but the user holds the bypass role
