You noticed that some computers are getting policies that were not originally assigned to them.
Policies have been defined to go to a set of computers with an exclude defined ended up going to computers in the exclude filter.

ITMS 8.x, 8.7.x

There is a very unlikely scenario where during a filter update an excluded computer could fall briefly into a target allowing things to run on computers that should have been excluded.

For example:

• A Maintenance Window policy has a target with the following definition
  • Include all Windows Workstations
  • Exclude a specific location like US or South America

When the Delta Resource Membership Update runs it clears the membership of the filter first then rebuilds it.  If this takes 1 second and a computer that was in the exclude example above checked in, in the middle of that 1 second it could possibly get the policy if the membership cache was out of date and it had to evaluate its applicability again.

Suggestions:

1. Re-evaluate the number of exclusions and/or inclusions that you have on the affected filter(s) / target(s).
2. Verify how long your "Delta Resource Membership Update" takes to run. Adjust its schedule as needed in case it is not finishing on time before the next run starts.
3. Verify if the affected computers are not sharing the same GUID (appearing as duplicates) or merging.
   210118 "Client Machines are sending same UniqueID during Basic Inventory"
   264590 "Duplicate machines using same GUID after imaging with PXE and WinPE"
   275252 "Virtual Machines Merge"