IAP User is able to access a Cloud Run without permission

Steps to reproduce this:

• create a Cloud Run service with "Require authentication" options setup ingress options to be "Allow internal traffic and traffic from Cloud Load Balancing"
• expose the service using and External Load Balancer with IAP enabled
• give the user the role "IAP-Secured Web App User" for the backend service

The user will be able to access the Cloud Run service without explicit permission.

You can follow this tutorial to have a working examples hodo.dev/posts/post-30-gcp-cloudrun-iap/

Is this a bug or is the expected behavior?

If this is expected then where this implicit user permission is documented?

Google's Identity Aware Proxy (IAP) acts a front-end for access to back-end systems. For certain back-ends, if a request is received by IAP, then IAP will do the work to validate that the user is suitably authorized to make the final request. What this implies is that if a request directly to the backend then the backend will have the responsibility for approval. However, if we route through IAP, then we have delegated to IAP the approval responsibility. As such, the requesting user will be able to access the services of the backend (eg. Cloud Run) without needing explicit Cloud Run approval because we have defined that IAP can make the decision and Cloud Run trusts that IAP's decision is sufficient.