Hi Jonathan, section access applies to the user credential that open the document, maybe there is other thing than the Service Account.
When you say the exclusion is well done on desktop...¿You open the qvw file or the puiblished document through the server? security can work different when you open a local document. It can happen than nobody has access to the document, but opening in server implies nobody can access but opened locally implies that security is not applied.
You can add a field to section access to verify that security is applying correctly, checking 'Initial data reduction' you can check if when you open a document, you only see data related to your user.
IMPORTANT: before making changes to security do a backup, you can lock the document to everybody, including yourself.
I think what is happening is that Publisher opens the document with the initial data reduction based on the service account. After reload it distributes the file to where you want it to be saved and saves it with the data reduced on the service account.
I think what you need to do is exclude the service account in the data reduction part of SA. But this will become evident if you upload your section access part.