In the Developer Console UI I cannot edit data as expected with this 'can view' user. However I am able to write to datastore by connecting to our Remote API Servlet on App Engine. From what I can tell, you can only apply an admin security constraint to servlets on App Engine but this still opens it up to all members of the project wether they are an owner, can write or can view. And then I'm guessing the Remote Api uses the default app engine service account which has write permissions.
Is there any way to completely lock an account down to be read only if you also want to use the Google Remote API? Is this not considered a flaw with the Remote API?
This is intended behaviour. Any administrator of the app - no matter in what role - can access the app using the remote api. Remote API does not use the default service account, it is merely a bridge to the datastore API that is tunneled over HTTP.
If you want to lock down to read for a given user, build your own REST Api that provides readonly access.