If a user has the "Configure" right he can also configure the project authorization matrix to grant himself additional rights that he doesn't have.
I think there should be a separate right to be able to edit project authorization matrix than the project configure one.
Right know If you want to give access to a user to configure the project (git SCM, etc.) you need to grant him the configure right but by doing so he's also able to edit the project authorization matrix by himself and grant himself additional rights that he doesn't have so it's not possible to give a user the access to configure a job but not delete it, or delete builds, etc.