The answer I got from their technical support line was pretty ridiculous.
The switch that we're using separates the configuration of untagged packets into separate input and output sections. The interface marked "VLAN Membership" allows users to mark each port as a tagged or untagged member of each VLAN, or not a member of the VLAN. These marks indicate how packets received on a given VLAN will be output to each port. The interface maked "Port PVID configuration" allows users to mark each port with a "PVID". This setting controls what VLAN will receive packets which are sent to this port without a VLAN tag. VLAN 1 is the management VLAN and cannot be modifed. All ports will always be output ports for VLAN 1 traffic.
The documentation does not explain this behavior, and in fact contradicts it by showing multiple screenshots of the interface where a subset of ports are untagged "members" of VLAN 1.
The entire paradigm of setting untagged VLAN memberships in input and output separately is ridiculous. There is no situation where you would ever be able to use asymmetrical untagged port memberships. If a device sends untagged packets, it must receive them untagged as well. If a port is configured to output untagged packets for a VLAN, this logically implies the reverse, which makes the "PVID" interface completely unnecessary.
Also troublesome is the fact that since all ports are always output members for VLAN 1, that VLAN is unusable where users want to segregate traffic between two VLANs. In that situation, which will virtually always be the case where VLANs are used, users must create VLANs for both (or all) of their segregated networks, and not use VLAN 1 at all. However, only members of VLAN 1 can reach the switch's management interface. Users can solve this in one of two ways: Either they can have a host which is connected to two ports (one of which uses the default configuration), or they must configure one host's port to be a tagged member of the desired VLAN -- leaving the PVID configured as "1" -- and configure the desired address on a tagged interface on the host, with an additional address for management on an untagged interface on the host.
Finally, as far as I can tell, any port is capable of accepting tagged packets from any VLAN id, which means that any host can inject packets to any VLAN, which may be viewed as a substantial security flaw.