eZ Publish allows you to limit roles (hence also policies) to only be active in subtrees of the content tree. However this limitation does not work for the "Section/Assign" policy.

Instead a user with a "Section/Assign" policy can assign sections to any node regardless of subtree limitations. See steps to reproduce for an example.

Steps to reproduce

As admin Create two new roles:

1. A role called "basic role" with unlimited "Content/Read" and unlimited "User/Login"
policies.

2. Another role called "section role" with unlimited "Section/Assign" and unlimited
"Section/View".

3. Create a user group and a test user in it. Call the user "tester".

4. Assign "basic role" to "tester".

5. Click "Setup" -> "Roles and policies". Click on the "section role" role. Choose
"subtree" from the dropdown and click the "Assign with limitation" button.

6. Choose a content node and then the "tester" user when asked.

7. Log out as admin, login as "tester".

8. Click "Setup" -> "Sections".

9. From here you can assign any section to any node, when in fact you should only
be able to assign a section to the node you chose in (6).