Hi Ahmed,
The reason it checks the normal security policy is that becasue the traffic is not destined to the interface where the traffic is first received and in this case it is the untrust zone interface.
You are trying to ping Trust zone interface from a device connected to untrust zone interface and hence traffic has to traverse the two zones though the ping is destined to the trust zone interface itself. Hence it will first check for the normal security policy check and then check if it is allowed as host inbound traffic for the trust zone interface or not or it will check if there is any policy to the junos-host zone.
To summarize normal security policies come into the picture whenever the traffic has to traverse from one zone to the other zone irrespective of the fact that the destionation is on the SRX itself or not. If the traffic is not destined to SRX then nothing else will be checked and the traffic will be permitted or dropped as configured but if the traffic is destined to SRX then it will check for the host-inbound services for the destination interface or junos-host zone policy if any configured.
Hope this helps to answer your queries 🙂
Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.