User permission search API weird behavior

We have customer who has 100 servicdesk agents in their account, but when through our app we are making below call it’s returning more than 100 users. How’s that even possible ? Customer paid account is fore just 100 users , where are other users coming from I understand there are app users but still that many numbers? Can someone throw some light on below behavior ? What’s the expected behavior of the API ?

let search_url = `/rest/api/3/user/permission/search?projectKey=${projectKey}&permissions=SERVICEDESK_AGENT&maxResults=1000`;
      let httpClient = addon.httpClient({clientKey:clientkey});
      return new Promise(function (resolve, reject) {
            url: search_url,
            contentType: "application/json",
            json: true,
          (error, response, body) => {

Ok so customer has AD integrated which has more than 1700 users and all users are added to servicedesk team role . Even though users may not actually have access to servicedesk they are being returned from this call. I am not sure if that’s that’s the right behavior for a permission API. To me this looks like a bug as practically those users doesn’t have access to project nor they have access to servicedesk.
Can someone from Atlassian throw light on this behavior ?