When creating a user using REST (POST /rest/api/2/user/application) the application is set to "JIRA Software", while the default application access is configured as "None".

A workaround is not available, because the field "applicationKeys" is not allowed on cloud (Error message: "Application access permissions cannot be modified via REST in Cloud."). Also the /rest/api/2/user/application API delete function does not work and results in a http 405 error.

Update: This is affecting POST /rest/api/3/user too. Newly created users will be added into Default Access Group regardless of disabling New users have access to this product under product access user administration page.