What’s the difference between Local and Physical attack vector in CVSS 3.1?

I’m reviewing CVSS 3.1 specification, recently.

I encounter the example below:

Sophos Login Screen Bypass Vulnerability (CVE-2014-2005)

Sophos Disk Encryption (SDE) 5.x in Sophos Enterprise Console (SEC)
5.x before 5.2.2 does not enforce intended authentication requirements for a resume action from sleep mode, which allows physically proximate
attackers to obtain desktop access by leveraging the absence of a
login screen.

For this vulnerability, the attack vector parameter is set to Physical, but based on CVSS 3.1 description and specification, it should be Local.

Local:

The vulnerable component is not bound to the network stack and the
attacker’s path is via read/write/execute capabilities. Either: the
attacker exploits the vulnerability by accessing the target system
locally (e.g., keyboard, console), or remotely (e.g., SSH); or the
attacker relies on User Interaction by another person to perform
actions required to exploit the vulnerability (e.g., using social
engineering techniques to trick a legitimate user into opening a
malicious document).

Physical:

The attack requires the attacker to physically touch or manipulate the
vulnerable component. Physical interaction may be brief (e.g., evil
maid attack(^1)) or persistent. An example of such an attack is a cold
boot attack in which an attacker gains access to disk encryption keys
after physically accessing the target system. Other examples include
peripheral attacks via FireWire/USB Direct Memory Access (DMA).

Do have I any misunderstanding here??

am I wrong??