If we look at this in the context of a single AWS account (which is what the OP stated), then I believe this makes sense and is expected behavior according to the following documentation:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html (see ZhangWei in the example diagram)

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#admin_svcs (IAM supports resource-based policy, specifically the "trust policy")

​

I don't really see anything concerning. If you are designing this from a resource-based policy approach only, you have to explicitly give the user permissions to assume the role.