Configuration of maximum-permissions attribute in /subsystem=security-manager/deployment-permissions=default doesn't work so the permissions for deployments can't be restricted.
(The "policy of the product installation" in the words of EE specification is not enforced).

If administrator specifies maximum-permissions in server configuration and also permissions.xml in the deployment, all permissions from the permissions.xml are granted even if the policies are in conflict.

The maximum-permissions configuration has following meaning:
A set containing the maximum permission scope that can be granted to deployments or jars

The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module.

Expected behavior:

• based on EE spec the deployment should fail
• deployed application should not get more permissions than specified in the maximum-permissions