Github support came back to me.

This happens because the type of merge my developer was doing is a fast forward merge (ff) which maintains linear history. So all branch protections currently in place were met.

To stop this to happen, I needed to tick the box:

`Restrict who can push to matching branches`

So long as the user is not an Organization administrator, repository administrator, and user with the Maintain role this will work and prevent this CLI ff method for regular users.