diff --git a/vault/logical_system.go b/vault/logical_system.go
index bf02e153ff..87b5409191 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -144,7 +144,6 @@ func NewSystemBackend(core *Core, logger log.Logger) *SystemBackend {
 				"unseal",
 				"leader",
 				"health",
-				"experiments",
 				"generate-root/attempt",
 				"generate-root/update",
 				"rekey/init",
diff --git a/vault/policy_store.go b/vault/policy_store.go
index 92445c807c..ea9b322a55 100644
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@@ -153,7 +153,7 @@ path "sys/control-group/request" {
 
 # Allow a token to make requests to the Authorization Endpoint for OIDC providers.
 path "identity/oidc/provider/+/authorize" {
-	capabilities = ["read", "update"]
+    capabilities = ["read", "update"]
 }
 `
 )
diff --git a/vault/policy_store_test.go b/vault/policy_store_test.go
index d4b1fcf6e8..34eb31553d 100644
--- a/vault/policy_store_test.go
+++ b/vault/policy_store_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/sdk/logical"
 )
 
 func mockPolicyWithCore(t *testing.T, disableCache bool) (*Core, *PolicyStore) {
@@ -274,3 +275,44 @@ func testPolicyStoreACL(t *testing.T, ps *PolicyStore, ns *namespace.Namespace)
 	}
 	testLayeredACL(t, acl, ns)
 }
+
+func TestDefaultPolicy(t *testing.T) {
+	ctx := namespace.ContextWithNamespace(context.Background(), namespace.RootNamespace)
+
+	policy, err := ParseACLPolicy(namespace.RootNamespace, defaultPolicy)
+	if err != nil {
+		t.Fatal(err)
+	}
+	acl, err := NewACL(ctx, []*Policy{policy})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for name, tc := range map[string]struct {
+		op            logical.Operation
+		path          string
+		expectAllowed bool
+	}{
+		"lookup self":            {logical.ReadOperation, "auth/token/lookup-self", true},
+		"renew self":             {logical.UpdateOperation, "auth/token/renew-self", true},
+		"revoke self":            {logical.UpdateOperation, "auth/token/revoke-self", true},
+		"check own capabilities": {logical.UpdateOperation, "sys/capabilities-self", true},
+
+		"read arbitrary path":     {logical.ReadOperation, "foo/bar", false},
+		"login at arbitrary path": {logical.UpdateOperation, "auth/foo", false},
+	} {
+		t.Run(name, func(t *testing.T) {
+			request := new(logical.Request)
+			request.Operation = tc.op
+			request.Path = tc.path
+
+			result := acl.AllowOperation(ctx, request, false)
+			if result.RootPrivs {
+				t.Fatal("unexpected root")
+			}
+			if tc.expectAllowed != result.Allowed {
+				t.Fatalf("Expected %v, got %v", tc.expectAllowed, result.Allowed)
+			}
+		})
+	}
+}