Two PACSelectors with two deploymentRootScope override each other

[sdecker]

I'm trying to figure out if I've completely misunderstood what is possible with EPAC or if I've misconfigured my global-settings.jsonc. We are trying to use Release Flow and we have the following MG hierarchy.

Tenant Root
-- mg-org
---- mg-division1
------ mg-subdivision1
-------- Subscription: division1 subdvision1 DEV
-------- Subscription: division1 subdvision1 QA
-------- Subscription: division1 subdvision1 Prod
------ mg-subdivision2
-------- Subscription: division1 subdvision2 DEV
-------- Subscription: division1 subdvision2 QA
-------- Subscription: division1 subdvision2 Prod
---- mg-division2
------ mg-subdivision1
-------- Subscription: division2 subdvision1 DEV
-------- Subscription: division2 subdvision1 QA
-------- Subscription: division2 subdvision1 Prod
------ mg-subdivision2
-------- Subscription: division2 subdvision2 DEV
-------- Subscription: division2 subdvision2 QA
-------- Subscription: division2 subdvision2 Prod

etc...

We've got two PAC selectors "nonprod" and "prod" where the nonprod lists the prod subs in the globalNotScopes and prod lists the Dev and QA subs in the globalNotScopes.

{
  "pacSelector": "prod",
  "cloud": "AzureCloud",
  "tenantId": "XXXXXX",
  "deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-fdic",
  "desiredState": {
    "excludedPolicySetDefinitions": [],
    "excludedPolicyAssignments": [],
    "excludedPolicyDefinitions": [],
    "strategy": "ownedOnly",
    "keepDfcSecurityAssignments": true,
    "excludedScopes": []
  },
  "globalNotScopes": [
    "/subscriptions/56d2d637-cf43-49a9-9373-7f211fb07123", //Division1 SubDivision1 DEV
    "/subscriptions/cb188fce-95b1-4568-8a3b-d2ab4cc74381", //Division1 SubDivision1 QA
    "/subscriptions/f5275129-d154-43b5-81d9-8a288afc2448", //Division1 SubDivision2 DEV
    "/subscriptions/11090516-ff49-42da-a138-46f16752d703", //Division1 SubDivision2 QA
    "/subscriptions/7123500e-b7a8-4caa-bd76-792b8fca02f2", //Division2 SubDivision1 DEV
    "/subscriptions/871bf9d0-d003-40da-a920-123d0e3b3055", //Division2 SubDivision1 QA

etc.
],
"managedIdentityLocation": "eastus"
},
{
"pacSelector": "nonprod",
"cloud": "AzureCloud",
"tenantId": "XXXXXX",
"deploymentRootScope": "/providers/Microsoft.Management/managementGroups/mg-fdic",
"desiredState": {
"excludedPolicySetDefinitions": [],
"excludedPolicyAssignments": [],
"excludedPolicyDefinitions": [],
"strategy": "ownedOnly",
"keepDfcSecurityAssignments": true,
"excludedScopes": []
},
"globalNotScopes": [
"/subscriptions/9a96361a-746c-4762-b7d5-2db22e227552", // Division1 SubDivision1 Prod
"/subscriptions/e36a86ee-9789-4a48-9505-f86dada82520", // Division1 SubDivision2 Prod
"/subscriptions/07e4e9cb-1bf5-4063-bb6d-206c4ef44b94", // Division2 SubDivision1 Prod
etc.
],
"managedIdentityLocation": "eastus"
},

We then define the an assignment with children

"children": [
{
"nodeName": "Prod/",
"assignment": {
"name": "pr-",
"displayName": "Prod ",
"description": "Prod Environment controls enforcement with "
},
"parameters": {
"vmDomainRequiredTagsEffect": "Audit",
"mlPublicIPEffect": "Deny"
},
"scope": {
"prod": [
"/providers/Microsoft.Management/managementGroups/mg-org"
]
}
},
{
"nodeName": "NonProd/",
"assignment": {
"name": "np-",
"displayName": "NonProd ",
"description": "Non Prod Environment controls enforcement with "
},
"parameters": {
"vmDomainRequiredTagsEffect": "Deny",
"mlPublicIPEffect": "Deny"
},
"scope": {
"nonprod": [
"/providers/Microsoft.Management/managementGroups/mg-org"
] }
},

They each create their respective assignment as expected excluding the correct subs/resources, but the issue is that when we deploy to prod it deletes the nonProd assignment and vice versa. How do we get two selectors at the same root scope to leave the others assignment alone?