I think @michaelcompton explained it pretty good over here which helped me understand it better:
My example of the admin taking 20s whereas the user was taking 1s mainly deals with the above.
My admin token quantifies the results based solely on a value in the JWT without doing any query logic so we can evaluate the auth, then we stop there and never go to the DB. However, the user token requires a database request to find out if the user has access based upon data in the database so we then run any remaining database rules in parallel.
That about sums up the difference for me.