@有角 太志, Thanks for posting in Q&A.
In General, we will assign policy to device groups when you don't care who's signed in on the device, or if anyone signs in. You want your settings to always be on the device. Use user groups when you want your settings and rules to always go with the user, whatever device they use.
From your description, I know the policy is assigned to user group. But the local user can still apply the policy. I think this is because policy setting is applied to device scope. In General, the Intune policy settings for Windows devices are based on the configuration service providers (CSPs). These settings map to registry keys or files on the devices.
Windows CSPs settings can apply to the user scope or the device scope. If a device scoped policy is assigned to a user, once that user signs in and an Intune sync occurs, then the device scope settings apply to all users on the device. For your situation, it seems the policy setting is device scoped policy and it will apply to all users on the devices by default. Here is a link with more details:
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.