During my testing I noticed another peculiar issue. When two devices are connected to the same cap and both are on the same radio (say 2GHz) it blocks communications as it should. However, when one device connects to the 2GHz and one device connects to the 5GHz communication is allowed even though client to client forwarding is not enabled.
Expected again. Client to client forwarding is about traffic between clients of same wireless interface. If device has support for two bands, that's two wireless interfaces completely independent of each other (might as well be in separate boxes). Same goes for virtual wireless interfaces (additional SSIDs) - independent wireless interfaces again. All of those interfaces land as separate cap interfaces on common bridge in capsman with capsman-forwarding.