Why does this role-based guard fail to restrict access?

Why does this role-based guard fail to restrict access?

canActivate(context: ExecutionContext) { const roles = this.reflector.get('roles', context.getHandler()); const user = context.switchToHttp().getRequest().user; return roles.includes(user.roles); }