Right, the point is the proxy-id pairs are based on the address objects in the policy. Not on the address triggering the IPSEC tunnel.
For example, the policy has:
sources:
192.168.1.0/24
192.168.2.3/32
192.168.100.0/25
Destination:
10.1.1.0/24
10.2.2.3/32
This will yeild 6 proxy-id pairs.
When a device 192.168.1.100 creates traffic to 10.1.1.25
This pair will come up: 192.168.1.0/24 - 10.1.1.0/24
Likewise any specific traffic initiated will match the appropriate pair from the policy but will not generate a pair that is not configured in the policy.