Basically nixpkgs.config.permittedInsecurePackages
cannot be defined in multiple files at the same time, when this happens the value in the first file get silently picked.
Here’s a minimal configuration to reproduce https://github.com/huskyistaken/nix-bad-vine-boom.
You’ll notice that when switching the order module 1 and module 2 are declared in the flake the package changes.
I’ve tested this both with Nix v.2.18.8 and Lix v.2.91.0.
I’m not familiar enough with how things work under the hood to understand whether this is a parser bug or a nixpkgs bug, where should I report it?