What is the behavior of firewalld when using multiple zones ?

Issue

• How does firewalld handle the use of multiple zones ?
• First we have bound the only interface we have (eth0) to zone 'public'. This zones only allows services dhcpv6-client and ssh.
• Secondly we have created a new zone example and bound a source (xxx.xxx.xxx.xxx) to this zone. This zones only allows port 5308/tcp.
• As expected for zone public : hosts with another ip as 'xxx.xxx.xxx.xxx' where able to use ssh, but not port 5308 on this host. As expected for zone example : host with ip xxx.xxx.xxx.xxx was able to use port 5308 on this host.
• NOT AS EXPECTED: host with ip xxx.xxx.xxx.xxx was able to use ssh on this host as well. This is not as expected because this zone does not allow ssh. It looks like zone example is expected because of source ip xxx.xxx.xxx.xxx, but because there is no match for service ssh (port 22/tcp) it falls back to the zone with is binded to the used interface (eth0): zone public. And because this zone accepts ssh, it is allowed. If I remove service 'ssh' from the zone public, host with ip xxx.xxx.xxx.xxx also no longer is allowed to use service ssh.
• QUESTION, is this 'works as designed': if the service is not found in the zone for which the source is bound (in this case 'cfengine'), it falls backup to the zone the interface is bound (in this case 'public'). Or is this a bug?