Vault PKI roles overriding max-lease-tll set in pki backend .. is this expected?

While testing pki on vault, I noticed that despite leaving the max-lease-ttl setting on the pki backend to its default (768h), I was able to generate long-living certs (whatever max ttl the pki role permits). My expectation was that if max_ttl in pki role is > max-lease-ttl of the secret backend. The expirty time of the certs would default to the max-lease-ttl from the backend OR vault would raise warning/error of some kind here.

To reproduce, follow the guide at just skip the part where it asks you to tune the max-lease-ttl for the backend.

Is this an expected behavior or am I possibly missing some config parameters on my pki mount to enforce the TTL for max-lease-ttl?