EZP-22479 I noticed something weird about the policies.
If you enter the backend, go to "User accounts" -> "Roles and policies" and grant "user", "login" for an existing user group, this new policy/limitation will not be available for Public API.
In my case I granted the "Member" group to "user", "login", "SiteAccess( ezdemo_site_admin )".
If I test if one of my member users have access with canUser( 'user', 'login', $siteAccess ) the result will be always negative.
Clearing the caches with php ezpublish/console cache:clear --env=prod doesn't solve the issue.
If I manually remove the cache with rm -rf ezpublish/cache/* the problem is solved.