It sounds like you want the work to be un-modifiable and un-lockable which is normally controlled by the security mechanism which is tied to access groups rather than portals.
So, how about defining a role called “Performer” and associate that role with the access group that is in use when the user is allowed to modify the work, which we can call “AGForPerforming”, and is not associated with the access group that is in use when the user is only allowed to read the work but not modify it, which we can call “AGForReading”.
Things you’ll need to do to flesh this out more:
1) Make sure your flows are configured so the “Performer” role is required for modifying work created by that flow
2) Make sure the user is using “AGForPerforming” or “AGForReading” as appropriate.
Please see if the PerformCriteria decision rule is being invoked during the opening of the assignment (I assume you already have the perform harness opening from your list view right ?) . If PerformCriteria is being invoked, can you do save-as into your private ruleset and modify it to return false for your desired situation ? /Eric