I think this confusion is exactly the problem. “Roles inherit” is one of those Azure things that looks simple in docs but ends up creating hidden privilege sprawl in real environments. I’ve seen teams argue for hours about what gets inherited, what doesn’t, and who has access to what, just because a single assignment at the wrong scope can fan out across everything.