As the title says there is a little known ‘feature’ in SharePoint. Basically SharePoint has no licence associated with it. Any users created in your Azure AD will have access to SharePoint as along as the SharePoint permissions allow it. So if you use the All Users excluding Guests then even an unlicensed user in your Azure AD will be able to access your SharePoint and interact with it like any other user with the same permissions.
By default this also seems to allow those users to create new Team Sites from their SharePoint homepage, again these are users without any SharePoint licence (even without any licences assigned at all…)
We confirmed this with Microsoft support who said that there is a process whereby if you raise a ticket to ensure that SharePoint is only available to users with a SharePoint licence then they can switch that on at the backend. They are considering whether to make this admin adjustable but at this time it is only via a support ticket.