Private docker namespaces with Content Selectors unexpected behaviour

Today we have had situation like this:
User have a service account (let it be ServiceUser) with private namespace with Content Selector. Let it be /v2/CoolProject
As expected only ServiceUser have access to CoolProject namespace.
But today user made a mistake and push his image in registryaddrec:port/v2/CoolProjectApp
As expected Nexus (or realization of docker registry in Nexus) made new namespace and put tag and manitfest there.
What was unexpected that only this ServiceUser have access to this tag + manifest while other don’t. No content selector with privileges for that namespace. I was expected that any service account will be able to pull this image, but they can’t.
Is this correct behavior of Nexus?

I’ve got only 1 namespace with anonymous access and pull called library.
I’ve modified built-in anonymous role and using anonymous pull checkbox enabled in docker repository settings to make that possible.
Also all users have access to /v2/ to access layers for download as it described Content Selectors and Docker

Am I mess up with configuration or I just don’t understand something? If that is correct behavior than I have no need in Content Selectors?