Protect's API is generous with errors when using the cascade option; as an example, supplying a non-sysop edit level with cascade will just drop the cascade option rather than return an error. Similarly, submitting edit=sysop and cascade=true will apply cascade protection, regardless of what move protection is also submitted. That's fine, and is in line with the above assumption, but the page protection log will then show that move level protection, even while the page is cascade protected. That is:
"action": "protect", "protections": "edit=sysop|move=autoconfirmed", "cascade": 1 }
Will generate a log entry reading:
[Edit=Allow only administrators] (indefinite) [Move=Allow only autoconfirmed users] (indefinite) [cascading]
I would not expect the average user seeing that to assume that an autoconfirmed user can not move that page (see also T27912) when the log entry explicitly says it allows autoconfirmed users to move a page. You can even appear to remove move protection.
In such cases, I would expect the API to either return an error or (more in line with the above two examples) silently convert the move level to sysop.