I have database account and it is locked. I have APEX application based on this schema. Am I able to change any object in SQL Developer (SQL Plus or whatever)? No. That's correct.
Am I able to change any object in APEX thru SQL Workshop? Yes!
I don't thing this is a correct behaviour. In APEX administration you can deny access to whole SQL Workshop to prevent this, but you also lose legit ability to run/explore anything there. I thing there is a missing functionality which should check locked account and if found then it should either show objects in Object Browser as read only or deny access just to Object Browser. And also fail all executed scripts thru this account.
Maybe this could be a good motivation to always use shadow/proxy schema?