In realm with users myadmin, user-1, user-2 and permissions:

• All Users permission allowing view for user myadmin
• user permission disallowing manage user-1 for myadmin

the user-1 is not visible in the user list, and also http://localhost:8080/admin/master/console/#/master/users/${user-1.ID}/settings returns 403.

The issue seems to be in fact that here https://github.com/keycloak/keycloak/blob/8f7c1871a71682b8eef3a01bea0a717bc9a856f1/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissionsV2.java#L114

the resource is found because the manage permission exists, therefore the "view-all-users" permission is ignored.