I have opened this as a Blocker given the security implications of it.

In Projects->Behaviours->Discover pull requests from forks->Trust I have chosen the From users with Admin or Write permission strategy because I don't want PRs from users outside of those with Admin or Write permission to be able to run jobs on my Jenkins server, ever (well, frankly, I would like to be able to "approve" PRs from such but that's a different ticket).

However, during a Repository Scan, PRs from users outside of the above group are being run:

     Checking pull request #28
    (not from a trusted source)
      ‘Jenkinsfile’ found
      Not mergeable, build likely to fail
    Met criteria
Changes detected: PR-28 ([redacted1]+[redacted2] → [redacted1+[redacted3)
Scheduled build for branch: PR-28

The user that submitted that PR is neither an Admin nor has Write permission.  I do believe the permissions are being enforced at the time that updates are being pushed to the PR, but it seems that this Repository Scan is not applying the same permissions/restrictions.