Describe the bug

Adding something to disallowedRequisites leads to it being built/substituted and the resulting derivation seemingly depending on it?

Take this code for example:

{ pkgs ? import <nixpkgs> {} }: pkgs.hello.overrideAttrs (oA: {
  disallowedReferences = [ pkgs.firefox ];
})

pkgs.hello obviously already does not depend on pkgs.firefox, but building this file leads to downloading firefox and nix-store --query --tree looks like this: https://gist.github.com/ajs124/1a36f6d55c28aa40c6451b5a49d16bfe#file-hello-tree-txt-L557

Expected behavior
I expected it not to do this, because it makes this feature much less useful.

nix-env --version output
nix-env (Nix) 2.3.10

Additional context

Maybe I'm having a fundamental misunderstanding of how this is supposed to work, but the documentation didn't mention any of what I observed above.