The Django RestFramework serializer validates all possible fields and finally returns set of errors.

That is, suppose you are expecting two validation errors in serializer, in that one validation error is raised by MyValidationError. In that case DRF obviously return HTTP 400 status code, because the design patterns of DRF not raising individual validation errors.

The serializer validation process done inside the is_valid() method and it raises ValidationError at the end of the method.

def is_valid(self, raise_exception=False):
    ....code
    ....code
    if self._errors and raise_exception:
        raise ValidationError(self.errors)

    return not bool(self._errors)

and the ValidationError class raises HTTP 400

class ValidationError(APIException):
    status_code = status.HTTP_400_BAD_REQUEST
    default_detail = _('Invalid input.')
    default_code = 'invalid'
    .... code

Why PermissionDenaid returns custom status code?

In the is_valid() (source code) method, it catches only ValidationError

if not hasattr(self, '_validated_data'):
    try:
        self._validated_data = self.run_validation(self.initial_data)
    except ValidationError as exc:
        self._validated_data = {}
        self._errors = exc.detail
    else:
        self._errors = {}

Conclusion

DRF Serializer ValidationError never returns status code other that HTTP 400 because it catches other sub validation error exceptions(if any) and atlast raises a major ValidationError which return HTTP 400 status code by it's design pattern

Reference:
is_valid() source code
ValidationError class source code