Currently server group scoped roles with write or security-sensitive-read privileges are able to use those privileges with any HC that has no servers defined. This allows the role to do things like add a server in the group to a newly spun up host.

The master HC should be excluded from this ability. The master would typically not have servers, but not because it is a newly spun-up host.