Strange Issue with solution explorer security



We recently secured menu designed with the below entry in sec. workbench during a security review project-
User / Role Security Type Description Menu Design Menu Filtering Fast Path Documentation OMW Logging Favorites
*PUBLIC A Solution Explorer Security 1 3 0 0 0 3

But the access was available for SYSADMIN role, below entry for SYSADMIN role-

SYSADMIN A Solution Explorer Security 3 3 1 3 1 3

So menu designed was already enabled for the users as they were assigned this role(SYSADMIN) but as soon as the *PUBLIC record was added, they lost access to menu design and we had to explicitly give access to the user ids as below-
PSFT A Solution Explorer Security 3 3 1 3 1 3

I find that strange, the *PUBLIC record shouldn't affect the access already granted in the role right?

I mean am I wrong? isn't the hierarchy is User ID-ROLE-*Public???