This is the case even if flags.enforce_container_disk_quota is true. When a task/executor doesn't specify a disk resource, it still gets to write to the container sandbox. However the posix disk isolator doesn't limit it.
Even though tasks always have access to the sandbox, it should be able to write zero bytes if it doesn't have any disk resource (it can still touch files). This likely will cause tasks to immediately fail due to stdout/stderr/executor download, etc. but should be the correct behavior (when flags.enforce_container_disk_quota is true).