If a session is created by just hitting a specific module; it's AuthLevel is set to that of the module's AuthLevel WITHOUT any reference to realm:
with AuthLevel added to session whitelist:
If however you go through step up, realm is included. This is inconsistent and adds complexity for customers implementing logic based on the value of this property.
Note the behaviour is the same if you traverse a chain.