Customizing in migration of Pod Security Admission

From my understanding, in the pod security admission(PSA), there is no customization feature.
We can only select one of the security levels (privileged, baseline or restricted)

Now, there is a pod which uses capability CAP_NET_ADMIN only.
But, the ‘baseline’ level of PSA doesn’t have CAP_NET_ADMIN.
As a result, should this pod be created with ‘privileged’ level,
even though the pod needs only one capability?
Is my understanding correct? Is this an only way to setup this pod with PSA?
I wonder it, because I think it’s not good for security.

Could you please share your opinions about it?