The fix in CB is merged and a new CB nightly is released. Upgrade CB and it should fix that bug in CBSubs.
To answer your concern, on change and save, the permissions were just not saved in Joomla 5 and only latest Joomla 4, so they were either kept as they were before, if even changed to non-default ones, and the default permissions in Joomla are inherited from global and upward permissions, which are all safe by default. So, unless I missed something, this is not a security concern. To be even more sure, in addition of our standard internal security-review for CB before merging it as usual, IĀ have also quickly security-reviewed the Joomla functions that CB calls to save permissions, and they security-filter inputs too, so seems all fine, just parameters not saving.
Now to why it hasn't been reported yet, here my analysis: The proportion of Joomla 5 sites is still very low according to Joomla stats, the latest Joomla 4 release that broke this settings-saving is young too, saved settings are still valid and kept, and the proportion of admins changing the default permissions is very low too, those two factors imho explain why this bug hasn't been seen yet. And probably only expert Joomla users like you are doing such advanced settings. Thus, thank you even more very much for reporting it, very appreciated.
Thank you for your complete and accurate answers, and thank you for making the corrections so quickly. That's why we're using this component and why it's important that we carry out in-depth tests.
When it comes to membership, we're talking about payments and therefore about the trust our customers place in us, so it's vital that we use reliable, tried and tested tools.