The old jail system had sysctls to set jail permissions for all jails (e.g. security.jail.mount_allowed), which were superseded by per-jail permissions (e.g. allow.mount). These old sysctls remain a constant source of confusion to users, who expect that setting the sysctl will change the behavior of existing jails. That the sysctl value at the time a jail is created may matter is a backward-compatibility hack that does little or nothing to relieve the confusion. So it's time for them to go.
Also, jail(2) has been replaced by jail_set(2) for a number of years now, and it really ought to retire - at least into the COMPAT world.