Transitive subgroup permissions unexpectedly elevated

Summary

See steps to reproduce.

Steps to reproduce

1. Create a group (say Supergroup)
2. Create two subgroups (e.g. group1 and group2) in Supergroup and assign each a user (say user1 and user2) as a maintainer.
3. Invite both group1 and group2 in Supergroup as maintainers.
4. Create a project (Proj) and invite Supergroup as guests -> user1 and user2 obtain guest permissions for Proj
5. Invite group1 into Proj as maintainers -> user1 becomes a maintainer in Proj (expected)
6. Check user2 permissions in Proj -> user2 is also a maintainer (unexpected)

The fact that group1 and group2 are subgroups in the Supergroup is important, if all three groups are parallel to each other the permissions work as expected.

Here is the final state of the setup:

Example Project

What is the current bug behavior?

user2 is a maintainer in the project Proj.

What is the expected correct behavior?

user2 remains a guest in the project Proj.