Indices and Spaces are different. A Space is application-level: it's what defines access to Kibana objects, such as index patterns, dashboards, and Advanced Settings. It also defines access to features such as the ability to create a shortened URL, or the ability to view or change advanced settings.
In the role that you have defined, a user could view Kibana objects (dashboards) that belong to the
vulcano space and use the features that are enabled in that space. If they open a dashboard in that space, the dashboard will only show data in the indices that the user has privilege to read, which are the defined in the
indices level of the role definition.
BTW if you give the user
all privileges to
.reporting-*, they could potentially view reports that were generated with data from indices that they shouldn't have access to view. It's STRONGLY recommended NOT to give users any privilege to system indices :).
Kibana provides APIs for letting users access its own data, so that every request can come from a user having the least amount of privileges they need.