Looks like its time for me to add some background info.
Relays do not perform any relay selection. The accompanying client performs this work for it. The client will obviously use the relay it is installed with but does find the parent that the relay talks to and instructs the relay to talk to that parent. By default, auto relay selection is NOT enabled when a client has a relay attached. There is another setting to do that but it isn’t something we recommend so I’m not going to mention the setting.
If you look in the logs of the recent clients (like 9.2) you will see the relay selection of the client show that it is using the localhost but has chosen its parent.
So, there are still cases where the client of an installed relay will fail over to root but it has to go through all these first, and as the comment of one of the settings states, Manual selection goes in this order, primary/secondary/tertiary list/failover/root
_BESClient_RelaySelect_TertiaryRelayList
Type: String
Version: 7.0
Platform: All
Default:
Requires Client Restart: NO
Description: semi-colon delimited list of relays to try.
Manual selection goes in this order, primary/secondary/tertiary list/failover/root
_BESClient_RelaySelect_FailoverRelay
Type: String
Version: 5.1
Platform: All
Default:
Requires Client Restart: NO
Description: failover relay used if configured and nobody is responding to pings. Like __RelayServer1, it should be of the form http://server:52311/cgi-bin/download
_BESClient_RelaySelect_FailoverRelayList
Type: String
Version: 9.0
Platform: All
Default:
Requires Client Restart: NO
Description: A semicolon delimited list of failover relay names used if configured and nobody is responding to pings. If present and not empty, it replaces _BESClient_RelaySelect_FailoverRelay
You obviously can still end up with cases where a client will chose the root as its parent, and a Fake Root (or impersonating root or however you want to call it) as @jgstew mentions is the only way to prevent that. A top level relay masquerading to everyone but consoles and that relay as the server is the only real way of preventing clients from getting to the root either by failing over or by initial install.