How does $allowedFields protect against mass assignment vulnerabilities?

See https://cheatsheetseries.owasp.org/cheat...Sheet.html

It seems that I can't set any field unless it's on the $allowedFields list.

Yes. Only $allowedFields can be set.

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper