If I understand correctly the role LocalAccountsAdmin can manage users with the User role, so this means that users with that role can manage them all, this is intended behavior and not part of the xpath constraint in your domain model.
Be careful with these access rules, they should always end with '%currentuser%.
Should be something like:
[Administration.AccountSaasCustomer/Administration.SaasCustomer[IsInScope=true()] /SaasCustomer_User=[%currentuser%]]
Check the option 'This role can manage users with at most the following roles' in the user role. These restrictions are always taken into account even when you read.
@Mendix guys - Just an idea: should be worth to be documented? This is critical, and the doc reference I found about this at first sight was not really explaining this behaviour to me.