Explicit permissions can be copied and paste between any object a user can modify

I've been testing for an upgrade, and I've noted that if a user has an ability to modify an item, and that item has an explicitly set permission, the user can copy that permission and paste it to any other item with an explicitly specified permission. This can happen even with permission modify privilege disabled.
As we have several thousand passwords to manage, we discovered shortcuts as a method to share caused issues with improper modification between groups, and general instability in the software as our entry counts were in the tens of thousands. It was also decided that all credentials would be in the same vault and not using segmented vaults (so no separate layers between OS credentials and application credentials for example). Thus, a design using service > prod /dev / stg > system / application model was created and these are managed using role assignments rather than shortcuts. I've attached an example including the view permission on the objects for reference (green users can add/edit/delete, red users cannot in order to ensure integrity with the view roles).

As we have some non-sysadmin staff that have administrative access to their servers using the RDM tool, credential entries are created using templates with the View Password restricted behind certain roles. This allows us to grant administrative access to a server, but not allow the use of the password to help limit some modifications or runas on other machines. For example, the Domain credential for the server login IMATEST has a role: Credential Revealer - Domain Account attached to it's reveal.
The problem is from a very general perspective anybody that can access has the modify ability. That ability allows you to grab the 'Credential Revealer - x' from one of the other items (as well as anything set on any of the green containers) that the user can access and paste that onto an object that they can modify, but perhaps not reveal passwords in. Even with adding the complexity of additional modification roles I can still foresee issues with this from someone who may have a unique set of roles on themselves.

My question is, is this copying and pasting of explicitly set permissions intentional for users that cannot modify permissions, but can otherwise modify an entry, or is this a bug? If it's the former, is the only way to disable the modify ability to stop the ability to do these permission changes?