The argument check during the rule checking at

will call inarray with the arguments in the rule as the second parameter. Since inarray has the outer loop over the second list, it will check that all the elements in the second list are also in the first list, aka that all arguments in the rule are also in the command.

This does not prevent extra arguments that might compromise security, like adding -F /etc/shadow to exas -u root dmesg.