The behavior is the same in Joomla 3. As of right now, we only show the menu items belong to menus which the current user has Access Administration Interface permission.

@joomdonation
The problem is that the menu xtd is displayed when creating/editing when it should not.

Main question is when it should be displayed. We have different permission check in different place here:

• In com_menus , we check for core.create permission of com_menus https://github.com/joomla/joomla-cms/blob/4.0-dev/components/com_menus/src/Dispatcher/Dispatcher.php#L50
• In the Model (which get menu items to show), we check for core.manage permission https://github.com/joomla/joomla-cms/blob/4.0-dev/administrator/components/com_menus/src/Model/ItemsModel.php#L475
• And in the editor-xtd plugin, we check for core.create or core.edit permission https://github.com/joomla/joomla-cms/blob/4.0-dev/plugins/editors-xtd/menu/menu.php#L49

Also, since the behavior is the same with Joomla 3, maybe this is not a Release Blocker.

Took off the release blocker. But one has to agree we are not very consequent with permissions here.
As I see it, the permissions set for the xtd should be the ones that count here.
And the problem is that they are not in our case.
An Author/Editor by default has no core.create or core.edit permissions for com_menus. Therefore the button should not display at all.

What I mean is that we may have something more serious behind these permissions not being applied.

An Author/Editor by default has no core.create or core.edit permissions for com_menus. Therefore the button should not display at all.

=> If the user does not have that permission, it won't be displayed. My Joomla 4 default setup shows that the Editor group has both permission set to Allowed, the Author group has core.create permission set to Allowed, that's the reason the button is being displayed there.

We just display the button here to allow selecting menu item, so checking for core.create or core.edit permission seems not right to me. Maybe we should check for core.manage (because without core.manage permission, we won't see any menu items displayed for selecting)

If the user does not have that permission, it won't be displayed. My Joomla 4 default setup shows that the Editor group has both permission set to Allowed, the Author group has core.create permission set to Allowed, that's the reason the button is being displayed there.

Oops, you are definitely right...

To add to the confusion, a manager using the menu xtd in backend when editing an article gets a 403...

Yes. Because in the backend, we check for core.manage permission. Look like check for core.manage before showing the button would be right choice.

I wonder why we should forbid a manager from using the xtd menu when editing an article?
The manager has no access to the com_menus backend anyway.
Security?

I'm unsure. Maybe we want to prevent users without permission to see the menu items.