The permission is applied when folder is created. The Microsoft Windows Installer attempts to preserve the security on objects that already exist on the system.
It is probably that subfolder, with no explicit security descriptor set, hence receiving default security descriptor, is created before the parent folder, which is listed in
LockPermissions table with explicit security descriptor, is created. As explained in
Remarks section of LockPermissions table, MSI service will attempt to preserve the security on subfolder.
I would suggest verifying the order of folders, in CreateFolder table in the MSI, created. It appears that MSI will create folders in the order they appear in CreateFolder table. I am not aware of a way to control the order.