Why are built-in groups such as Account Operators and Server Operators specified separately in the Denied List attribute, but not in the Denied RODC Password Replication Group?

The Allowed RODC Password Replication Group and the Denied RODC Password Replication Group are domain local groups. Domain local groups cannot contain built-in groups.