There could be a better indication of this, but when a users in a non-valid user state, they effectively have the permissions from the unregistered / unconfirmed group. You should remove the edit profile permission there.
So this would be as designed, but there might be some clearer indication we can add of this.
I can't see how it isn't a bug, if they have permissions from one group but show in their ACP info as being in another, ie thety actually show as being in registered even though they are still unconfirmed.
I've been thinking more about this and it does seem to be more of a bug in Analyze Permissions. I use that work out why a certain permission isn't working the way I want/expect. In this case if the allow in unconfirmed is (correctly) overriding the no/not set in registered, then it must show in Analyze permissions.
I'm calling this as designed because the behavior in the original report is what is intended. However, I have added indications to a couple places (user edit and permission analysis) to make what's going on clearer (when it's happening).