Hello, the plugin's documentation #1 says:

The permissions granted in the matrix are additive. For example, if a user "kohsuke" is in the groups "developers" and "administrators", then the permissions granted to "kohsuke" will be a union of all those permissions granted to "kohsuke", "developers", "administrators", "authenticated", and "anonymous."

The documentation in the Jenkins UI (#2) says:

Permissions are additive. That is, if an user X is in group A, B, and C, then
the permissions that this user actually has are the union of all permissions given to
X, A, B, C, and anonymous.

The difference is that the permissions of authenticated users are missing in #2, which is exactly the behavior that I observed.
However what I expected is the behavior described in #1.

Versions:

• Jenkins: 2.204.2
• Plugins:

  # Authorization
  matrix-auth:2.5
  authorize-project:1.3.0
  
  # Configuration
  configuration-as-code:1.35
  configuration-as-code-support:1.18
  jobConfigHistory:2.24
  
  # Monitoring
  metrics:4.0.2.6
  
  # Node management
  swarm:3.17
  #kubernetes:1.15.5
  
  # Notification
  mailer:1.30
  
  # Pipeline
  blueocean:1.22.0
  http_request:1.8.24
  pipeline-utility-steps:2.5.0
  ssh-steps:2.0.0
  webhook-step:1.4
  workflow-aggregator:2.6
  
  # Utils
  cloudbees-folder:6.11.1
  job-dsl:1.76
  parameterized-trigger:2.36
  thinBackup:1.9
  ws-cleanup:0.38