Hi Elizabeth,
You're correct. The PREMIS rights currently operate similarly to how publication status works - that is, a logged in user will by default have access to viewing draft records, just as they will be able to view digital objects otherwise restricted using PREMIS.
Part of this is practical. As I've mentioned previously in the User Forum, AtoM's permissions module hasn't had a significant update since it was first released, almost 10 years ago now. Then, the use case for ICA-AtoM was mostly small archives, though now we have both small and very large international users. The current module is not really designed for the scalability that most users expect these days, but it will be a major development project for us to overhaul it and so far no one has wanted to sponsor that work.
Basically, because the permissions module can be so granular and the permissions module works via inheritance, it means that every node on a page has be checked against multiple levels of possible permissions settings before it can be loaded for display on a page. As you may know, most web browsers have a timeout limit of about 1 minute to prevent long-running requests from consuming all local resources - so this can mean that, with a lot of varying granular permissions set, a page might time out before it even completes loading!
Adding View Draft permissions to all authenticated users (and similarly, view PREMIS-restricted objects) was a way of keeping the base inheritance as simple as possible, so every additional layer of permissions added on top of that have a chance to work without the page timing out. It's a somewhat pragmatic way of trying to work withing AtoM's current limitations - it frees up a whole number of baseline things that would otherwise need to be checked node by node before they could be loaded on a page.
There aren't currently any institutions who've contacted us about making PREMIS-based restrictions apply to authenticated users. It could likely be added, but it would take some analysis to determine if we can do it in a way that remains performant without having to overhaul the entire permissions module.
Cheers,