Once the file is approved, it should be locked and should not allow users to edit/download the file. They should only be able to view. Right now, we’re able to do both, even after the file is approved.
To restrict document edit and download you can create a custom role with only read permissions and hide the edit and downloads actions on the basis of the same role by using evaluators. You also need to hide downloads button appears on the document details page conditionally if that role is applied. And apply the same role on the document approval. There are several posts on the community which help you to achieve above things. However, the user will be still able to download the file by calling GetContent rest API manually.