...

Depending on the configured or requested QoA by the application - or implicitly by the requested Level of Trust - the user has to fulfill no verification (QoA1), fulfill either the manual identification or video identification method (QoA2) or the requirements from QoA2 and the API verification method (QoA3).

QoR Claims

In the id_token you will get a list of QoA’s the the user has passed in the fulfilled_qors claim.

Note: This is independent from the arm_values which only contains the passed LoT and QoR definitions requested by the current application. A user could login with a QoA1 to your application, but also would have passed QoA2. Since this was not requested by the application, it's not passed into the arm_values but into the fulfilled_qors.