The problem is that New-AdaptedSecurityDescriptor is creating a security descriptor for an object that can't contain children, i.e., a file. That means that the flags that are contained for all of the ACEs in the SDDL string are ignored, and each ACE is set to apply only to the object.
In this case, the NETWORK account ACE is the only one that's explicitly set, so it's the only one being applied to the destination folder, so it's the only one that appears to be incorrect. The underlying SD has all of the ACEs with incorrect flags, though.
To fix it, you need to create a SD for a container. To do that, use the -IsContainer flag when calling New-AdaptedSecurityDescriptor: