Roles, if granted, may or may not be enabled in a user session at runtime.
Roles may have had their sys_privs changed between compile time and runtime
and he follows with a comment
Sounds to me like roles leave holes (for privilege escalation).
Tom then follows with some comments about Oracle being a bit lazy in relation to not checking privileges enabled at run time and preferring to do it at compile time. He also points out that Oracle are consistent.
This is an interesting if quite common subject and question that is posted time and again on mailing lists and newsgroups either related to views or to other PL/SQL code. There is often confusion with this in views and people often write views and wonder why there is a problem when they have been granted access already via a role. I was particularly interested in the thread mainly for Paul's comments though, I thought they summed up the issues very well.