I have found what I believe to be a security bug in Confluence that should be fixed.
We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.
However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.
They should not be able to add themselves to a group that has higher authority than they had.