The zookeeper.superUser system property does not fully grant super user privileges, like zookeeper.DigestAuthenticationProvider.superDigest does.
zookeeper.superUser only has as many privileges as the sasl ACLs on the znode being accessed. This means that if a znode only has digest ACLs zookeeper.superUser is ignored. Or if a znode has a single sasl ACL that only has read privileges zookeeper.superUser only has read privileges.
The reason for this is that SASLAuthenticationProvider implements the superUser check in the matches method, instead of having the super user include a new Id("super","") as Digest does.