This was reported to me privately by Paul Vinkenoog.
If someone has been granted the RDB$ADMIN role in a user database, he must specify it when connecting in order to exercise the privileges that come with it.
However, I have observed the following:
Grantee is a Windows administrator.
If he logs in with an empty role, CURRENT_ROLE is RDB$ADMIN.
Please notice that AUTO ADMIN MAPPING is off in the database, so that's not the explanation.