Originally reported here: http://dspace.2283337.n4.nabble.com/anonymous-right-given-when-bitstream-meta-update-td4671788.html
I was able to reproduce this issue on demo (DSpace 4.0):
1) create an item, add a bitstream without the Anonymous READ right (either no rights or rights for some other groups)
2) Edit Item - Item Bitstreams - select your bitstream - edit the Description field - Save
3) check the item resourcepolicies again - now only Anonymous READ will be present for this bitstream
I also verified that the resourcepolicies will be set to collection default resourcepolicies, so you may see something different than Anonymous READ.