In order to restrict (say) release branches to only be updated by PR, write access has to be restricted. However, without write access, the branch cannot be created in the first place.
Is this a common issue? What's the best approach for this?