For all workload resources (and many other types of resources), the ability to create resource-type-A provides the authority to create a constrained sort of resource-type-B.  This is a feature, it is not a bug.

For instance, deployments cause the deployment controller to create replicasets which in turn cause the creation of pods.  The power to create this higher level construct allows delegated authority to create additional resources and is feature of the authorization system, not a bug in it.

This feature is why we draw boundaries around namespaces and try to avoid drawing boundaries around subsets of resources in a namespace.  There is no "owned by" concept for kubernetes resources.  This is not a bug in kubernetes or openshift.

(In reply to David Eads from comment #3)
> For all workload resources (and many other types of resources), the ability
> to create resource-type-A provides the authority to create a constrained
> sort of resource-type-B.  This is a feature, it is not a bug.

As expected, thanks David for confirming this.
Will create a Solution outlining this and close this BZ with NOTABUG.