If you are part of the confluence-administrators group by default you can see all spaces and content.
This breaks the space permissions if you just add specific users that are not part of the confluence-administrators group.
In our case, we have administrators that should be able to administer certain spaces, and also manage users and groups. However, we have a space that we don't want these people to see or administer.
Right now we can specify certain users to see and administer the space, but then any administrator can just come in and do things to this space.
We require that the space honours the space assigned privileges only.