klagreca if you redefined access settings merging preferences to "allow", then most definitely any post that has at least one category or another tag assigned will have access to posts that have "intranet" tag.
In your case, you should consider to avoid using ConfigPress settings and redefine your access policies. In this Github issue I've mentioned about new type of resource s that is supported with the latest AAM update https://github.com/aamplugin/advanced-access-manager/issues/121.
So in your case, remove ConfigPress settings and update the first policy to something like this:
{
"Version": "1.0.0",
"Dependency": {
"wordpress": ">=5.3.2",
"advanced-access-manager": ">=6.2.2"
},
"Statement": [
{
"Effect": "deny",
"Resource": [
"PostType:post:posts",
"PostType:building:posts",
"PostType:testimonial:posts",
"PostType:programs:posts",
"PostType:person:posts",
"PostType:department:posts",
"PostType:tribe_events:posts",
"PostType:page:posts",
"PostType:dws_file:posts"
],
"Action": [
"Edit",
"Delete",
"Publish"
]
},
{
"Effect": "allow",
"Enforce": true,
"Resource": [
"PostType:post:taxonomy:category:posts",
"Term:post_tag:%s:posts => ${USER_META.editable_post_tags}"
],
"Action": [
"Edit"
]
}
]
}