In the ProtectSite extension, if rights are left unchanged they may be granted by ProtectSite while the effects of other "protection" are implemented.
For example, if you have edit restricted to anonymous users (hardcoded in LocalSettings.php or elsewhere) and then try to protect the site against page moves, well anonymous users were just granted the right to edit articles.
ProtectSite should only *restrict* actions, never grant. Ideally through the use of a hook rather than trying to override $wgGroupPermissions.