If the ros2cli tool supplies the environment variable itself when it runs, then that removes the error-prone aspect and the inconvenience for the user. The user wouldn’t even need to know it was happening.
I got the impression from another post of @ruffsl’s that any kind of wildcard matching when doing security policies was a Bad Idea[tm].
This sounds to me more like an oversight in the ros2cli tools implementation than an intentional design choice.