I have worked this out after much code searching :)
By default the user/login module/function is in the PolicyOmitList of site.ini . No permissions/policies are checked for user/login.
With the default templates & settings this is fine as these are setup to use a custom pagelayout.tpl that does not access any additional content.
If you use the setting LoginPage=embedded, the default pagelayout.tpl will be used and user/login.tpl is returned in {$module_result.content}
Now here is the kicker - If the login fails or the user is not redirected to another page, any fetches of content that are done in the pagelayout.tpl will be executed without any permissions applied and hence the "restricted" values being displayed in the menu when the login fails.