You would like to understand why you are seeing 300 matches on an endpoint DI policy, but DI.MaxViolations is set to 100 and would like to understand why.

Any DLP version

As the agent extracts the document for evaluation the DI.MaxViolations limit is per component. The different areas in the message, header, body, or individual sub files will each be evaluated separately, for each of those individual components and then totaled together.

For endpoint in the agent configuration advance settings we have the setting Detection.MAX_NUM_MATCHES.int the default of which is 300.

So if the combined total matches of an endpoint incident exceeds Detection.MAX_NUM_MATCHES.int then the value will be the value in that field. 

This is expected behavior.

While these values can be changed there will be a performance impact if you increase them.

Please see:

Adjust the "maximum matches count" in a DLP policy incident