After conducting some tests, I've realized the following:
• It seems the docs here are wrong: https://docs.moodle.org/31/en/Roles_FAQ#How_can_I_prevent_a_user_from_changing_their_own_password.3F
For any given permission, for a user having 'Allow' on Authenticated User (System context), and 'Prevent' on another System role, 'Allow' should win. Suggestion #2 in the section I linked doesn't work; it should be 'Prohibit' if you want to overrule the 'Allow' from Authenticated User, not 'Prevent' as 'Prevent' loses to 'Allow'. Context doesn't matter at all as any 'Allow' anywhere defeats any 'Prevents' anywhere.
• This bit in the docs also seems wrong: "Permissions at a "lower" context will generally override anything at a "higher" context (this applies to overrides and assigned roles)."
It's only true for manual overrides.
For assigned roles, 'Allow' always defeats 'Prevent' and 'Not Set,' except if there's a 'Prohibit.' This seems to be completely unaffected by context. If for a given permission, a user's role has 'Prevent' on all contexts except for 1 'Allow,' then the 'Allow' will win - it doesn't matter at all which context has the 'Prevent' and which has the 'Allow.'
• It also appears that 'Not Set' behaves 100% the same way as 'Prevent.' I thought the idea of 'Not Set' was to inherit permissions from the larger scope - but when you think about it, it turns out there is never something to inherit. A user having at least 1 'Allow' in any context will always result in 'Allow,' even if there's a 'Not Set' or 'Prevent' in any other context. The only exception is if there's a 'Prohibit' in any of the user's roles, in any context - then the 'Prohibit' wins.
Can anyone explain to me why 'Not Set' exists?
__
Am I taking crazy pills, or are the docs completely inconsistent when it comes to roles & permissions?