OIDC auth login with default role

Hi, I was trying to setup OIDC auth method using Google OAuth by referring https://github.com/hashicorp/vault-guides/tree/master/identity/oidc-auth
And created 2 roles as below:

vault list auth/oidc/role

where reader has list, read capabilities on secret and manager has create, delete, list, read, update capabilities on secret.

vault policy read reader
# Read permission on the k/v secrets
path "/secret/*" {
    capabilities = ["read", "list"]

But when I login to vault UI with reader as default role, I can still create secret. It shouldn’t have permissions to create it right?