diff --git a/app/policies/saved_annotation_policy.rb b/app/policies/saved_annotation_policy.rb
index 8587980152..9c1ed88e2f 100644
--- a/app/policies/saved_annotation_policy.rb
+++ b/app/policies/saved_annotation_policy.rb
@@ -1,9 +1,7 @@
 class SavedAnnotationPolicy < ApplicationPolicy
   class Scope < ApplicationPolicy::Scope
     def resolve
-      if user&.zeus?
-        scope.all
-      elsif user&.a_course_admin?
+      if user&.zeus? || user&.a_course_admin?
         scope.where(user_id: user.id)
       else
         scope.none
diff --git a/test/controllers/saved_annotation_controller_test.rb b/test/controllers/saved_annotation_controller_test.rb
index 7d40261cea..5132a21100 100644
--- a/test/controllers/saved_annotation_controller_test.rb
+++ b/test/controllers/saved_annotation_controller_test.rb
@@ -31,4 +31,22 @@ def setup
 
     assert_response :success
   end
+
+  test 'zeus should not have access to saved annotations of other users' do
+    sign_in users(:staff)
+    get saved_annotations_url, params: { format: :json }
+
+    assert_response :success
+    assert_equal 1, response.parsed_body.length
+
+    sign_in users(:zeus)
+    get saved_annotations_url, params: { format: :json }
+
+    assert_response :success
+    assert_equal 0, response.parsed_body.length
+
+    get saved_annotation_url(@instance), params: { format: :json }
+
+    assert_response :forbidden
+  end
 end