Portlets don't use user-specific preferences. For example, the Bookmarks Portlet on default.psml always use preferences for anon user. The Portlet reads and writes PortletPreferences from/to the table PREFS_NODE with FULL_PATH=/portlet_entity/db-18/no-principal for authenticated and not authenticated users.
It seems that PortletRendererImpl and JetspeedPowerTool don't pass the user principal to the PortletWindowAccessor. PortletWindowAccessor.validateWindow has to pass the principal to PortletEntityAccessComponent too.