I am using LDAP authentication.
When a user logs into Zabbix using their LDAP credentials, a Zabbix user is autocreated for them via /usr/share/zabbix/include/classes/api/services/CUser.php lines 987 onwards.
Line 1002 states
Which means that all auto-created users are created as Zabbix Administrators. This is not desirable as it allows all auto-created users full access to change the configuration of Zabbix - including the ability to change the authentication configuration.
The user groups that auto-created users get added to should be made configurable via the LDAP authentication configuration.
A strong argument could be made that the default should not be to add the auto-created users to the Zabbix Administrators group.