Zones with target="ACCEPT" allow unconstrained forwarding to the interfaces in other zones

This came as a surprise to me. I was sure that zone is about traffic *to* host. But here is the diff between two configurations differing only in target, where enp0s3 is in the "internal" zone. The first configuration is with target="DROP", the second - target="ACCEPT".

+++ rules.accept 2025-01-07 10:44:24.012374347 +0300 @@ -141,7 +141,7 @@ table inet firewalld { iifname "docker0" accept iifname "enp0s3" jump filter_IN_policy_allow-host-ipv6 iifname "enp0s3" jump filter_IN_internal

• iifname "enp0s3" drop
  

• iifname "enp0s3" accept
  

  iifname "enp0s2" jump filter_IN_policy_allow-host-ipv6 iifname "enp0s2" jump filter_IN_public iifname "enp0s2" reject with icmpx admin-prohibited

@@ -160,13 +160,13 @@ table inet firewalld { iifname "docker0" jump filter_FWD_docker iifname "docker0" accept iifname "enp0s3" oifname "docker0" jump filter_FWD_internal

• iifname "enp0s3" oifname "docker0" drop
  

• iifname "enp0s3" oifname "docker0" accept
  

  iifname "enp0s3" oifname "enp0s3" jump filter_FWD_internal

• iifname "enp0s3" oifname "enp0s3" drop
  

• iifname "enp0s3" oifname "enp0s3" accept
  

  iifname "enp0s3" oifname "enp0s2" jump filter_FWD_internal

• iifname "enp0s3" oifname "enp0s2" drop
  

• iifname "enp0s3" oifname "enp0s2" accept
  

  iifname "enp0s3" jump filter_FWD_internal

• iifname "enp0s3" drop
  

• iifname "enp0s3" accept
  

  iifname "enp0s2" oifname "docker0" jump filter_FWD_public iifname "enp0s2" oifname "docker0" reject with icmpx admin-prohibited iifname "enp0s2" oifname "enp0s3" jump filter_FWD_public

Is it expected? Is it documented anywhere?