It's been found that users with mod/data:comment capability set to Prohibit can still comment database activities. As I can see mod/data:comment capability is not used at all. As part of MDL-20346 comments were re-worked and since then this capability was never used.

Steps to replicate:

1. Create a course.
2. Create a database activity with Allow comments on entries set to Yes.
3. Add a field and then add an entry.
4. Edit Student role and set mod/data:comment to Prohibit.
5. Enroll a user with Student role.
6. Login as Student.
7. Confirm, that you can comment database activity.

Prohibiting moodle/comment:post for a role works, so I assume we eqither need to deprecate mod/data:comment capability or fix the callback https://github.com/moodle/moodle/blob/eab63d2cfed451e99c1b27c1cfd5638f0ba7c9e9/mod/data/lib.php#L3908 to honour `mod/data:comment` capability.

PS: I wasn't able to find an existing tracker for this issue, so if there is one, please feel free to close this tracker.