The issue came about because of a misunderstanding on how the ACLs 'Create' and 'Read' interact.

I incorrectly believed that the 'Create' ACL would give access to the fields in the creation form, regardless of any 'Read' ACLs in place. I thought that the 'Read' ACL applied to existing records rather than also to those being created.

I added an OR block to the User's 'Read' ACL to also allow access when 'current.isNewRecord()' returned true.