Currently, if an approval job has a restricted context downstream from an on-hold job. The actor will be able to trigger the pipeline but the restricted context will be enforced downstream.

> This approval job may be approved by any member of the project, but the deploy job will fail as unauthorized if the approver is not part of the restricted context security group.

This feature request is to restrict those actors from approving the job as well.