SQS uses envelope encryption, so the producer needs kms:GenerateDataKey to create a data key to encrypt the messages it sends, and it needs kms:Decrypt to verify the data key's integrity. It doesn't need kms:Encrypt, because it uses the data key to do the encryption.

The consumer just needs kms:Decrypt to decrypt the encrypted data key and then it can decrypt the messages using that data key.

So the repost doc is correct.

How is the application able to function correctly with the permissions 'reversed' like this?

My guess would be that either your queue isn't set up for SSE-KMS encryption, or your KMS key has the necessary permissions defined in it's key policy.

Are there any pitfalls or potential problems with this arrangement I need to be aware of?

Assuming the queue is encrypted, then you've got duplicate permissions defined in different places which isn't ideal, and you've got permissions defined that you don't need (e.g. neither producer nor consumer need kms:Encrypt).