It is often assumed that the audit-level role permission Manage Audit Attachments will allow control of whether a user is able to add/delete attachments anywhere within an audit.

In fact this permission is relevant to only the Audit Attachments screen.

At the lower levels (Objectives, Risks, Controls, Tests etc.) attachments are considered as part of the 'execution' of a record, so in order to prevent uploading of an attachment to e.g. Risks it is necessary to set Deny against the Risk Execution fields via the Execute Risks permission.