Reproduce setcap behavior with capsh

There is a non-capability-aware program that requires at least 1) cap_sys_admin and 2) either cap_dac_override or cap_dac_read_search. This can be proven as follows:

sudo setcap 'all=ep cap_sys_admin-ep' ./binary`                        # ./binary doesn't work
sudo setcap 'all=ep cap_dac_override-ep' ./binary`                     # ./binary works
sudo setcap 'all=ep cap_dac_read_search-ep' ./binary                   # ./binary works
sudo setcap 'all=ep cap_dac_override,cap_dac_read_search-ep' ./binary  # ./binary doesn't work

I want to do the same checks using capsh instead of setcap. Before these checks, all file capabilities are removed using sudo setcap -r ./binary. The first tree succeed, the results match setcap:

sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_sys_admin" -- -c ./binary
sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_dac_override" -- -c ./binary
sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_dac_read_search" -- -c ./binary

The last one fails, the program still works while it shouldn't:

sudo capsh --user=jdoe --keep=1 --caps="all=eip" --addamb="all" --delamb="cap_dac_override,cap_dac_read_search" -- -c ./binary

Is there some difference between filesystem and process capabilities that I fail to notice? How do I write the third test properly?