I can't change the username??? Okay, that likely explains the odd behaviour of this test example, and also the odd behaviour of my actual real code.
I'm using a third party database to authenticate the user, but using kentico's membership system (roles, permissions, etc) for everything else.
After authenticating the user in the third party database, I create a local kentico copy of that user. And I sync those internal+external users by putting a unique ID in the kentico username field (makes it much easier to find a specific user in the kentico user list). But users actually enter a totally different username for that initial authentication with the third party database.
So I'm basically changing the username of the "current user" after the visitor logs in. Which is causing the odd behaviour I'm getting.
I'll change the code so the username for the internal+external users are the same, and I'll add a custom field for the unique identifier. And now the fact that the username is no longer changing will hopefully solve the issues.