It looks to be the case. The documentation states:
"When the device examines the first packet of a flow, it determines the corresponding security policy, and performs a security policy lookup. During this process following cases are observed:
1. If the traffic matches a legacy security policy or the final policy, the session is created."
In your case it looks that the first packet will match the legacy policy because with only one packet is not enought for AppID to determine the Dynamic Application. Besides the doc says:
"During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies in the potential policy list, the SRX Series device applies the default security policy until a more explicit match has occurred"
But in your case there is not a policy conflict and a more specific security policy exists (the legacy one) so it will be chosen. Can you share a "show security flow session session-identifier [session_ID]" in order to confirm if AppID is identifying the dynamic-application correctly or not.
Pura Vida from Costa Rica - Mark as Resolved if it applies. Kudos are appreciated too!