I have opened this as a Blocker given the security implications of it.
In Projects->Behaviours->Discover pull requests from forks->Trust I have chosen the From users with Admin or Write permission strategy because I don't want PRs from users outside of those with Admin or Write permission to be able to run jobs on my Jenkins server, ever (well, frankly, I would like to be able to "approve" PRs from such but that's a different ticket).
However, during a Repository Scan, PRs from users outside of the above group are being run:
The user that submitted that PR is neither an Admin nor has Write permission. I do believe the permissions are being enforced at the time that updates are being pushed to the PR, but it seems that this Repository Scan is not applying the same permissions/restrictions.