In this case, you’ve actually got two routes. The first one is yours from extensions and the second one is strapi’s default route. Under the same hander User.update. All your custom routes from extensions are merged with user-permission routes.
Also, all the routes created in the Plugins, are prefixed with the plugin’s name by default.
So if you are calling PUT /users/1 to update the user then it uses the user-permissions’s route with default policies and not your custom route with isOwner policy. In the current example, your route is accessible under PUT /users-permissions/users/1. Also, in this case if you grant permissions for user to Update, the user will have access to update it’s own profile under /user-permissions/users/:id and ANY other user under /users/:id.
You can’t completely overwrite the plugin’s routes. Since these are merged. As if you could completely overwrite the default routes then you would break its functionality.
BTW The updateMe functionality is in WIP.
I would recommend adding a new route that is not identical to user-permissions routes, that one should update the user by getting the ID from token.