Public Wikis on Private Repos are world writeable
As noted in the comments for Issue #2462:
https://confluence.atlassian.com/display/BITBUCKET/Repository+privacy,+permissions,+and+more#Repositoryprivacy,permissions,andmore-HowPermissionsworkforIssueTrackersandWikis claims that one can set the repo private and the wiki public to limit writes but allow public reading of the wiki. But with that setup, it is still possible for anyone to modify the wiki by clone, commit, and push.
IMHO, this is a major bug -- anyone can deface public wikis that are supposed to be read-only -- it's not just a feature request like issue #2462.