When you set a Purpose with with a default Retention period of e.g. 3 years and then you set a override for e.g. the manager role for like 99 years and any user has the manager role in a system context then no user will ever be expired until the manager role is expired even if the user does not have the manager role.

One would expect that users that don't have the manager role in the system context get expired according to the default retention period.

Looking at the code from what I understand, this behavior happens because of this:

In L649 the unexpired will always contain the userid's of all the users that have the respective roles in system context. Which mean the negated empty is always true so the expiry record will always be deleted immediately after creation.

It always returns all userid's because in get_role_users_for_expired_context() in L749 it the get_role_users() returns all users that have the roles in this context (User) or a higher context (System). And the problem here is that the function is not restricted to the current user or something. So for any user it will just return all the respective users, which will just be returned as the nonempty unexpired mentioned above.

This is at the very least how I would understand this problem.