PermissionManager::getUserPermissions() caches user rights by ID, which means all anonymous or locally-non-existent users share a single cache entry. That will break if rights are granted or revoked based on e.g. IP address (such as in the case of IP blocks).
Solution: use namespaced cache keys. If the user ID is not 0, use 'u:' . $user->getId(). If it is 0, use 'anon:' . $user->getName().