Keycloak authorization services don't deny scopes in resource

I am testing Keycloak authorization services in the admin console and I'm unable to understand why in the next example keycloak is authorizing a user (tested in the evaluate tab). this is my setup :

• Created a realm test
• Created a client democlient with Authorization Enabled on
• Create the realm role Admin
• Create the user adminuser and assign it to the Admin role

In the Authorization tab withing the client democlient:

• In Settings -> Policy Enforcement Mode is set to Enforcing
• Create 2 scopes: list and save
• Create a resource Resource A with the 2 previous scopes
• In Policies tab, create a new Role policy called Only admins where (of course) i only permit admins:
• In Permissions tab, created a Scoped-based permission called permit only admins Resource A, list Scope:

And that's it. now i check in the evaluate tab this policy using the adminuser, role Admin, Resource A, Scope List:

success! everything is fine in the world!... except No. checking again the policy with the adminuser, role Admin, Resource A, Scope save (a scope where I did not define any permission) Keycloak is again Authorizing this rule :/

i assumed that policy enforcement mode set to Enforcing will deny the access to scope save, from the documentation of keycloak:

The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.

so... what i am doing wrong? how can i make that keycloak deny the access to the save scope? (obviously i can make a permission where i explicitly deny this scope. but i want that the default is deny as the documentation says) Any ideas will be deeply appreciated.