Thank you for your response!
This rule is the only rule in the tenant. Removing it, brings permissions back into the JWT.
The users in the app are required MFA on a certain condition. The use_mfa flag is set to true when it is required. Type of the flow that is used here is username/password and a DB connection.