Greetings,
That makes more sense at what you are seeing. I suspect that the control center is receiving the quarantined item and is responsible for generating the BCC message and sending it out. The default setting for the Control Center when it sends out messages is to use DNS for the next hop. This is most likely resolving back to the inbound MTA of the scanner causing the message to be caught as it is violating the policy.
A message audit search for the emails can confirm this behavior. If this is indeed the case, you may want to create a new group with AV, content filter and AS turned off and make sure that the user is targeted.
I would recommend the use of a incident folders over other options. This can allow for an administrator to be notified that an item has been sent to an incident folder. The administrator can log in and then decide to release the item or deny sending it. Through the control center settings, you can create an administrator that has just enough permissions to log in and view incident folders for review and release if needed without granting full access to the interface.
The quarantine was originally designed for Anti-spam and has since been used as a regular quarantine for all items. Incident folders was created and designed to give more control over content as the spam quarantine originally had a message size limit of 1MB as most spam is under 1MB and this caused undesired behavior.