With the addition of ECCurve_Ed25519 in version 3.101.0-7 of the code I can now see an incorrect indicator set for CKM_ECDH1_*_DERIVE services using this curve. NSS is currently setting an approved indicator for it and the use of this curve is currently non-approved.

I believe that the reason lies in the fact that the sftk_getKeyLength() function, which is the one supposed to filter only approved curves, is only checking curves of type CKK_EC:

nss/lib/softoken/pkcs11u.c:sftk_getKeyLength():

if (keyType == CKK_EC) {
        SECOidTag curve = sftk_quickGetECCCurveOid(source);
        switch (curve) {
            case SEC_OID_CURVE25519:
                /* change when we start algorithm testing on curve25519 */
                return 0;

Keys for curve ECCurve_Ed25519 are not of type CKK_EC and I believe are escaping this check.