I get a result that typically looks like this on the security tab (manage_access) in Plone 5.1 (Windows, if that matters). Please note, this is the bottom of the page - it didn't even finish that table row, let alone all of the default permissions. I suspected it was a bungled transform by plone.protect and indeed if I inspect that value of result the HTML is what I would expect. Digging a bit deeper, the discrepancy appears to happen somewhere in the call to getHTMLSerializer, so I suppose this is really a repoze bug.
This bug feels very familiar to me, but I can't remember if I had a similar issue in Plone 5 or Plone 4.x, and I can't remember a solution for it. I do not have an issue in Plone 5.0.5. The biggest head scratcher is that while 5.0.5 and 5.1 have different versions of plone.protect, they share the same version of repoze.xmliter.