Hi Dana,

That does appear to be the behavior out of the box as well. There are ACLs for create which allow any user who can write to the parent record (in your case the hr_case) to create checklists.

You should be able to restrict that by editing the create ACLs on the checklist table to tailor access to your specific needs.