I think it's quite unacceptable that this question has been unanswered for all this time, sorry. And there are lots of other questions on the forum with 0 answers too. This should be addresses in some organized manner I think. Only a few days ago someone I talk to about pfSense made the point about "many unanswered posts" being a "red flag" for him as a potential new user. I think his point is missing completely though, since there are thousands of replies on the forum, but still, that did catch his eye.
At one time I was searching the forum and the first three posts in the hit list were all relevant for my issue but neither had a single reply..
However, I have the answer to this specific question myself now - and I don't like it.
The answer is that clients logging on and not being assigned a specific IP do get IPs that are assigned to other users. I had one user being logged on and having access to servers he shouldn't have due to this.
This should be corrected asap. Otherwise one has to set IPs for all users to be sure no one gets an IP reserved for some other user (and used in FW rules for this purpose).
And if the number of users in the system are more than what's supported how should that be done?! pfSense wil surely complain when you set a user to an IP being used already or being outside the range specified by the /28.
What I would like and also thought already was the case, is that IPs assigned to individual users in config should NOT be used when assigning IPs to users that don't have a specific IP assigned in config.
If I'm missing something I'll be interested in hearing what that is.