Hi Steve. Thanks for taking the time to respond to my questions!
I am still confused in one regard then - in my device 'show configuration security policies global' and 'show configuration security policies from-zone global to-zone global' actually show different entries. I consider both to be part of the global policy, but I do not know in which order will the lookup occur (assuming, of course, that the untrust-to-trust policy will not match).