What is the Domino ACL Entry Hierarchy and does DLAU look at it the same way?

Software Versions:
We are currently running our Domino servers on 12.0.2FP4+ on Windows Server 2019 - all 64bit.
My client is the Notes Admin/Designer client 12.0.2FP6 (32bit) on Windows 10.
I’m running DLAU V1.2.6

Question:
Can someone please set me straight on ACL order of precedence?
In my database ACLs, I have groups, individual names, and a wildcard person group in addition to -Default- and Anonymous. I think my understanding of ACL access ORDER is right and maybe DLAU isn’t right.

If Jane Doe/ABC is in a group called SALES, this is the order I THINK Domino uses from the most general to the most restrictive:

Anonymous (Reader)
-Default- (Reader)
*/ABC (Editor)
SALES (Author)
Jane Doe /ABC (No Access)

Jane is part of all of these, but in this particular database, Jane shouldn’t have access. I tested this on a database and “Jane” in fact didn’t have access to the database.
DLAU says she has access ( through the wildcard entry ). Is there something I am missing or should I open a DLAU ticket with support?

Jane Doe/ABC will have precedence assuming she’s logged in, so not anonymous and not default

If the user isn’t logged in and is accessing via web then they’re anonymous and nothing else.

If they’re logged in and don’t match any other setting then the Default setting applies.

After that, it’s a union of everything they match eg groups and */ABC.

The exception is if you add an exact name eg Jane Doe/ABC then the acl uses that setting and nothing else.