I'm not sure if this is an error in my sudoers file, or something broken but the behavior scares me.

With /etc/sudoers containing:
Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMER
C \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"
root    ALL=(ALL)       ALL
Defaults        always_set_home
%dba ALL=(oracle) ALL
--
and the user entering
 sudo -u oracle -i
we see something like
 Password:
 oracle@uaz-hr-d01:~> id
 uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)
which is what is expected.  However, if I change the above Defaults to
 Defaults        always_set_home, runas_default=oracle
to save the user from having to type "-u oracle", I get the following
 sudo -i
 Password:
 oracle@uaz-hr-d01:~> id
  uid=502(oracle) gid=500(oinstall) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

If, with runas_default in place, I do
 sudo -u oracle -i
 Password:
 oracle@uaz-hr-d01:~> id
 uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

Why do I have all the system groups when I try to set runas_default=oracle?  It's almost like preserve_groups is implied by runas_default.  I tried an explicit !preserve_groups on the end of the defaults line, but that had no effect I could see.