This is a known issue, apologies for the confusion and your experience here.
Currently, when you fork a repo with Dependabot version updates enabled, your fork will also have Dependabot version updates enabled. This is because Dependabot version updates is configured with a dependabot.yml config file.
To disable Dependabot version updates, remove the dependabot.yml config file from your repo. (I realize this complicates suggesting changes, which is why this is a bug we are working to address today.)
EDIT: I tried switching the three settings shown in my original post on/off to see if that would help.
The settings on the Security tab only control Dependabot security updates, not also Dependabot version updates. Dependabot version updates are only controlled with the configuration file.
Notice how now it says public repos always have dependency graph enabled. I guess that’s how Dependabot was running even though I appeared to not have the dependency graph switched on.
Dependency Graph is on for all public repos and cannot be disabled on public repos. Dependabot version updates (which is what you are dealing with here) does not require the dependency graph - it doesn’t check your dependencies from the graph, only suggests edits to what’s in your lockfile.