You are correct that the issue is caused to old permissions being set when the employee was a ServiceDesk engineer.
The below query will show which incidents the user can edit. You will need to update the CanEdit permission from the ReportProcessPermission table to be 0 to prevent the user from editing the tickets in the future.
DECLARE @User NVARCHAR(200)
SELECT rp.ReportProcessID,
CASE rpp.ReferenceType
WHEN 1 THEN 'User'
WHEN 2 THEN 'Group'
WHEN 3 THEN 'Permission'
WHEN 4 THEN 'Organization'
END AS 'Reference Type',
rpp.CanEdit FROM ReportProcess rp
JOIN ReportProcessPermission rpp ON
rpp.SessionID = rp.SessionID
JOIN [User] u ON
u.UserID = rpp.ReferenceID
LEFT JOIN ReportProcessContact rpc ON
rpc.ReferenceID = rpp.ReferenceID
WHERE u.PrimaryEmail = @User
AND rpp.CanEdit = 1
AND rpc.SessionID IS NULL