It is possible for users to spend entitlements to enroll in runs that are no longer upgradable, by sending a manual request to the entitlement enrollments API. Although it's unlikely for this to happen, it would probably be a good idea to add some validations to the API to ensure the run the user is trying to enroll in is actually enrollable and upgradable.
Validate that a User cannot enroll in a course that is not Upgradable.
These changes will be needed in the Entitlement Enrollment API
Probably just rework get_visible_sessions_for_entitlement(entitlement) or get_fulfillable_course_runs_for_entitlement in ..djangoapps/catalog/utils.py