9.3 compatibility? Seems like Module is no longer respecting permissions

We didn't give our Users the right to edit url-aliases for taxonomies.
Up to core 9.2 this works and the url-alias field is not showing up at /taxonomy/term//edit?destination=/admin/structure/taxonomy/manage//overview

After updating to 9.3 the url-alias field is suddenly showing up at taxonomies.
Double checked the permissions but they are correct.

Maybe 9.3 handles something different here?
When updating the core to 9.3 it does do some stuff with permissions that look a bit dangerous...but could be cause of not enabled splits.
It didn't change the url_alias permissions in general:

test.com user 9301 hook_update_n 9301 - Change the users table
test.com to use an serial uid field.
test.com block replace_node_type post-update Updates the node type
test.com _condition visibility condition.
test.com media modify_base_field post-update Updates stale references to
test.com _author_override Drupal\media\Entity\Media::ge
test.com tCurrentUserId.
test.com node modify_base_field post-update Updates stale references to
test.com _author_override Drupal\node\Entity\Node::getC
test.com urrentUserId.
test.com node rebuild_node_revi post-update Rebuild the node revision
test.com sion_routes routes.
test.com system delete_authorize_ post-update Remove obsolete
test.com settings system.authorize
test.com configuration.
test.com system sort_all_config post-update Sort all configuration
test.com according to its schema.
test.com taxonomy clear_views_argum post-update Clear the cache after
test.com ent_validator_plu deprecating Term views
test.com gins_cache argument validator.
test.com user update_roles post-update Calculate role dependencies
test.com and remove non-existent
test.com permissions.
test.com views sort_identifier post-update Add the identifier option to
test.com all sort handler
test.com configurations.

test.com > [notice] The role Contentmanager has had the following non-existent permission(s) removed: access entity_browser_publisher_single entity browser pages, access in-place editing, create paragraph content cp_listpage, create paragraph content listpage_element, create paragraph content listpage_element_reuse, create terms in facts, create video media, delete any video media, delete own video media, delete paragraph content cp_listpage, delete paragraph content listpage_element, delete paragraph content listpage_element_reuse, delete terms in facts, edit any video media, edit basic_cart node url alias, edit own video media, edit terms in facts, update paragraph content cp_listpage, update paragraph content listpage_element, update paragraph content listpage_element_reuse, use advanced search.
test.com > [notice] The role Contenteditor has had the following non-existent permission(s) removed: access entity_browser_publisher_single entity browser pages, access in-place editing, create paragraph content boxtype_tiles, create paragraph content cp_listpage, create paragraph content listpage_element, create paragraph content listpage_element_reuse, create video media, delete any video media, delete own video media, delete paragraph content boxtype_tiles, delete paragraph content cp_listpage, delete paragraph content listpage_element, delete paragraph content listpage_element_reuse, edit any video media, edit own video media, update paragraph content boxtype_tiles, update paragraph content cp_listpage, update paragraph content listpage_element, update paragraph content listpage_element_reuse, use advanced search.