Yes, I did intentionally put not any effort in treating admin
in any special way (in the spirit of this and this), since it’s trivial to add the group and it’s really helpful in testing when admin is subject to the regular security rules.
On the other hand I did not put any effort into closing any “leaks” for admin users either, especially because it could cause problems when administering the forum.
It’s a good remark though and I’ll make it explicit in the start post of this topic.