This behavior is expected. When you create a firewall rule where a local or remote network is specified as Defined Networks, make sure that at least one address is added as "Not Trusted" in Defined Networks in the Firewall Options policy if you intend the rule to not match all traffic and want it to match only specific addresses.
There's no firewall rule needed for addresses added as "Trusted" in Defined Networks because all incoming and outgoing traffic for these addresses is automatically trusted.
In Host Intrusion Prevention, Trusted Networks is a database or list of networks. They aren't automatically trusted. An allow or block firewall rule could be created and linked to Trusted Networks.
In ENS, Trusted Networks became Defined Networks. Automatically trusted functionality is available in ENS using "Trusted" addresses in Defined Networks. A database or list of networks is also available that you can use in firewall rules by configuring "Not Trusted" for addresses in Defined Networks.