With the introduction of Modern Sites, Microsoft added an additional layer in the permission handling for SharePoint Online sites: via Office 365 Group (soon to be renamed/branded as 'Microsoft 365 Groups'). Below that new level, one can still authorize within the SharePoint site itself via SharePoint Permission Groups. And to make the story even more confusing: not all 'Modern' sites are equal wrt this new Permission model. In a Modern Communication Site there is no notion / connection to an Office 365 Group.
Comparision Permission Handling + Management within Modern Communication Site vs Modern Team Site
Observations:
- In a Modern Teams Site, site authorization is delegated done via Office 365 Group.
- The SharePoint Member permission Group has as single member the Office 365 Group ‘Members’
- The SharePoint Owners and Visitors permission Groups are both EMPTY
- Instead, the ‘Owners’ responsibility is assigned by having the full O365 Group Owners as SCA
- In a Modern Communications Site, site authorization is still on named accounts level
- The SharePoint Group has as members the named accounts of persons in the role
- And only the person that on site provision/create time was identified as ‘Site Owner’ (in SharePoint Admin portal), is assigned SCA
This deviation is intentional / by design from Microsoft, with justification: "Most often, a communication site has a small number of people with permission to author content and many people who only have permission to read content. Team sites use Office 365 Groups for permissions. Communication sites use SharePoint groups." (source: Teams Site vs. Communication Site: Which one should I choose?).
However, in concrete business usage more and more business users prefer the Communications Site for internal collaboration usage above that of Team Site. Most significant motivation being the page layout options, that make better usage of the available screen estate. And this practical usage results in a governance flaw, as the permission handling on a "team collaboration site" created via Communications Site deviates from that within a Teams site; and the typical business user has no understanding for this.
I'm not alone in my misunderstanding, a good post on this topic is How broken are Office 365 SharePoint permissions?.