When or why will a principal attached to an account have a different permissions than an SCP applied to the same account?

Question

AWS allows us to create an SCP on an account/OU while at the same time allowing us to specify different or broader permissions to a specific principal. Eventually though the