If you have a complex query with subqueries, joins, etc., does the row level security get applied during SQL execution or on the final result set?
When data is accessed, row level security (RLS) is assessed. See The database system applies the access restrictions every time that data access is attempted from any tier.
The access restriction logic is located in the database tier rather than away from the data in another application tier. The database system applies the access restrictions every time that data access is attempted from any tier. This makes your security system more reliable and robust by reducing the surface area of your security system.
According to http://sharewithpals.com/articles/637dd719/Steps-to-configure-row-level-security-in-SQL-Server-2016:
While executing the select statement the rows are filtered based on the executing context of the query.
According to https://www.sqlshack.com/introduction-to-row-level-security-in-sql-server/
Row-Level Security in SQL Server is used to restrict the users at the database level rather than handling the restrictions at the application level. This access control is applied by the database every time a query is executed on the table irrespective of any application tier.