"Manage members" permission allows user to elevate own permissions
Permissions and roles
1. Create a role which has only one permission, "Manage members".
2. Create a user who is not in any groups, but is in the new role on a single project.
3. Log in as that user.
4. Go to the only project you can see, and click settings.
5. Click "Edit" next to your username and grant yourself access to any role. This can include a role which has full permissions to the project and its settings.
Granting a user "Manage members" is therefore equivalent to granting them the most powerful role available on a project, because they can elevate their own permissions.
They shouldn't be able to modify their own permissions. Arguably they shouldn't be able to grant permissions higher than their own to anyone else either.