Default DeletePermission seems unsafe?

[Brutus5000]

The delete paragraph on the security page of the docs doesn't state anything about the default permission applied for @DeletePermission. But my integration tests show me that a user is allowed to delete all entities he has update permissions for.
Is that intended? It doesn't feel like a very safe default setting.

[aklish]

Can you elaborate a bit more? To delete (JSON-API delete or GraphQL delete), you need delete permission.

Update permission allows you to disassociate relationships (which could cause a database delete depending on your ORM settings).

Or are you referring to the defaults if you don't apply default delete permission at all at the entity or package level?

Also, are you seeing a delta with Elide 4? Thanks.

[Brutus5000]

I'm using the Spring Boot Starter with JsonApi.
No DeletePermission annotation was used anywhere (also no package-level annotations). Only Read/Update. Yet I can still delete an entity that I have update permissions for.
I'll try to make an example out of the elide-spring-boot-starter-example as soon as I find the time.