A for expression with an if clause does more than remove items from a list. It defines what survives into the next stage of your configuration. When that filtered result feeds for_each, it decides which resource instances exist at all.
The mechanism is direct.
Each element is evaluated.
The condition either keeps it or removes it.
The outcome is structural.
Keys that remain become resource addresses.
Keys that disappear trigger destruction.
This is where many engineers get caught.
They treat filtering as data cleanup.
Terraform treats it as scope control.