That's right. What CPPA aims to do in broad strokes is to ensure that there is a high threshold of privacy protection for all personal information utilized in a commercial context and that there is significant and meaningful enforcement of obligations related to commercial entities that interact with personal information.
What “sensitive” aims to ensure is that there's a concentric circle or an inner circle of very protected data for which there are security protocols in place and much higher privacy protections, including about how they got that information in the first place, notably through some form of express consent. It's not the Wild West or Fort Knox. Ideally, it is a highly constrained utilization where it makes sense in how it's utilized, and then very constrained because of the nature of the information at play.