The documentation has been update to account for this exception.
Role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.
A user or resource can only assume an identity given the user/resource has "sts:assumerole" permissions for Role A, and role A trusts the user or the entire account that includes users B and C. However, User C would not be able to assume role A unless trusted by Role A even with "sts:assumerole" as a result of least privilege. Principles are not allowed to assume a role unless they are explicitly allowed to in the role’s trust policy. This is because there is an implicit deny by default. An explicit deny would require a Deny statement which would override any allow. This is done to prevent user C from assuming a role with more permissions than they should be allowed.
Attaching the following documentation regarding role trust policies here. https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
iam role trust policy behaviorAccepted Answerasked 4 months ago
How to restrict which principals can appear in a role's trust policyasked 5 months ago
IAM policy to invoke AssumeRoleWithWebIdentityasked 3 years ago
Notice about Trust Policy Evaluation changing affecting a Cognito Roleasked 3 months ago
Using EC2 IAM role principal in SecretsManager resource policy together with autoscalingAccepted Answerasked a year ago
Permission boundary on IAM role trust policyasked 6 months ago
IAM Policy that allows only access to "Switch Role"asked 7 months ago
KMS Key policy ignored over IAM RoleAccepted Answerasked 3 years ago
Specify Individual Instance In Trust Policy Of IAM RoleAccepted Answerasked 7 months ago
Principals in AWS S3 resource based policy - misleading docs.asked 6 months ago