Device Sync write permission but ONLY over functions

How can I make it that a default user can not write any data in any collections but is still able that when he calls a function (from client), that this function then can write data? I tried it with System functions and added {runAsSystemUser: true} but it still doesn’t work. User has either unrestricted writing permissions or can’t write anything even from a system function.