Regular Contributor

I'm testing a DLP policy to detect when a file that has a specific Sensitivity Label is shared inside the organisation. The expectation is that if the user shares the file in SharePoint it will be blocked, the user can then remove the sharing links and it will unblock.

My testing shows that as soon as the Sensitivity label is applied an alert event is generated because users other than the site owner has direct access to the file inherited from the document library. The files is never shared using a sharing link.

Does "internal shared" detection include any access other than the person who added the file or the site owner and not related to sharing links?