The login happens before the trigger, so a stale cache is required to avoid the bypass

Logon triggers can be used instead of stale caches, and is used in conjunction with IS_SRVROLEMEMBER() to check against the stale cache administrator logons

In Single user mode, the administrator logs in as sysadmin anyway, so a stale cache is used to check for privileges instead of IS_SRVROLEMEMBER()

Stale caches are disabled when using single user mode, therefore logon triggers are required to enable their triggers