Custom function run anonymously so the implicit consequence is that they can not do anything that requires authorization.
Changing a range protection
requires an authorization , that’s why you can’t use it and get the message you get…
Same situation for getEffectiveUser()
, it requires an authorization too.
Unlike most other types of Apps Scripts, custom functions never ask
users to authorize access to personal data. Consequently, they can
only call services that do not have access to personal data