SummaryTraffic is evaluated against policies in a top-down manner.
Traffic is evaluated against the hierarchical policy tree in a top-down manner. That is, the traffic is evaluated against the circuits in top-down order to determine which circuit will be handling the traffic. Once the appropriate circuit is determined, the traffic is evaluated against that circuit's virtual circuits in top-down order to determine which virtual circuit will be handling the traffic. Once the appropriate virtual circuit is determined, the traffic is evaluated against that virtual circuit's policies in top-down order to determine which policy will be handling the traffic. Any given packet will only be handled by one circuit, one virtual circuit, and one policy.
It is recommended that the most specific policies - that is, specific to a certain application or a small number of hosts - go to the top of the optimizer tree so the traffic doesn't accidentally fall into a more general policy that it is not aware of. For example, if there is a VPN policy for all users, but a second policy is needed to change the rules for a small subset of VPN users, that second policy would need to be at the top to ensure that those specific hosts' traffic goes into that policy, versus the general VPN policy.
Bandwidth is not shared between policies in general. In the above situation, if there is a case where the 'specific user VPN' policy has reached its burst bandwidth, it will not start taking bandwidth from the 'general VPN' policy below it in the heirarchy if there is some to spare. It will still fall into the 'specific' policy and will have to negotiate for bandwidth with the rest of the traffic in the policy.