Nope, you’re right.
That is correct, and is why I specified that these settings affect the admin. (Or in the view, as that typically is the more common case for applying permission limitations.)
All permission limitations within your project is your responsibility to define and enforce.
(For some additional thoughts on this, see (SOLVED) How to add a more fine grid authentication/permissions to groups in Django - #4 by KenWhitesell and the topics it links.)