When you work in the MODX manager, the current context is “mgr”, and when you save a resource, it is only checked if you have the save_document permission for the “mgr” context (no matter in what context the resources was created).
Having the save_document permission in another context (like e.g. “web-nl”) would only be relevant, if you accessed the resource on the front-end and then (for example) checked this permission in a snippet ($modx->hasPermission('save_document')).
I think the only way to restrict a certain user in the manager from editing resources in a certain context, is to not give them any permission to that context.
See also this older thread: