So, it looks like the category access roles take over the package settings, which in my opinion should not happen.
Examples:
1. If we have a category with roles ‘all visitors’ and inside we have private packages for “subscribers” only, then all the packages are listed, but the login form inside the private package is not shown, instead only the download link is hidden.
2. If we have a category with role “subscribers” only and inside we have public packages for “All Visitors”, those packages are not even listed.
In my opinion, in ACL concept, the privileges should be applied to the end units and override the wider permissions.
Ex 1. The packages with less permissions should override the parent (category) permissions.
Ex 2. is fine, since the category has less privileges than the packages and the packages are supposed to be hidden.
Thanks