Correct. This * will only match the values that are present in the %LEVEL field in your SectionAccess table, not those additional values in the %LEVEL field in Section Application.
Note that this behavior is ok in QV Desktop. In a published document on the server, the story is different again. In the AccessPoint, everybody is a USER. And while a blank link field will let ADMINs enter this document in QV Desktop, it will get them kicked out if you enable 'Strict Exclusion'.