How come I can set these fields with Postman even though my perform_create method is setting these fields at save with the requested user?

Here is my serializer

class ItemSerializer(serializers.ModelSerializer):
    class Meta:
        model = Item
        fields = '__all__'

My model for items

class Item(models.Model):
    uuid = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
    user = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.CASCADE)
    brand = models.ForeignKey(Brand, on_delete=models.CASCADE)
    title = models.CharField(max_length=200)
    #need to add images
    description = models.TextField()
    price = models.CharField(max_length=50)
    created_on = models.DateTimeField(auto_now_add=True)

Here is the viewset

class ItemViewSet(viewsets.ModelViewSet):
    queryset = Item.objects.all()
    serializer_class = ItemSerializer
    permission_classes = [IsOwnerOrReadOnly]

    def perform_create(self, serializer):
        serializer.save(user=self.request.user)
        brand_qs = Brand.objects.filter(owner=self.request.user)
        if brand_qs.exists:
            serializer.save(brand=brand_qs[0])

So, when using postman I am still required to enter the user and brand fields, and can make the user field any user I want, doesn't save with the requested user.