While discussing another multiprotocol access issue I realized that I have never seen the answer to this. Let's suppose I set default security to mixed. Then newly created volume will get security style "mixed"; but which security will get root of this volume? It must have either Unix or ACL; how is one selected?
First off I will suggest against using mixed unless absolutely necessary. In most environments it's not a good thing.
That being said each file or directory will have either a set of UNIX permission bits or an Windows ACL. Any user (root included) will be mapped to the appropriate space according to the permissions on that file. This is why most people map root to a Windows Administrator account to make sure it works either way.
But I generally recommend choosing unix or ntfs for a security style if at all possible. Mixed mode is not required for multiprotocol access and picking one of the other two modes simplifies permission issues.
It looks like your talking about the root inode of a newly created mixed volume. While I'm not a WAFL engineer I would assume it starts with UNIX permissions, but I doubt in most cases it matters since it's changeable at the first access and most sites have root mapped to Administrator (since ONTAP does this by default). With that mapping if a Windows admin mapped to root makes a change on that inode, poof, it's an ACL.