Basically you are right that incoming VPN does not listen to ACL, especially permit statements. I do note that one of the addresses in your blacklist group is getting denied by your ACL, so perhaps that part of the ACL might be working.

It is a fundamental part of processing on ASA (quite different from router processing) that when you enable VPN/ISAKMP on the interface that VPN traffic is allowed and does not need to be permitted in the interface ACL. How much of an issue that might be depends on how you have configured the site to site VPN. If you have 7 site to site VPN are there 7 set peer statements that specify the peer IP address? Or is there an entry that specifies 0.0.0.0 (common when one or more of the remote peers has a dynamic address)? If you specify the 7 peer addresses then you have no real exposure. Even if someone did learn the remote key they would not be able to establish a VPN session if it did not originate from one of those addresses. If one of the peer statements is 0.0.0.0 then there might be some exposure for you.

I would also comment on your ACL that you start with a statement that denies the blacklist group to any and specifies ip protocol. It then goes on to deny that group for icmp, for esp, and for isakmp. But if you have denied them for IP traffic the other 3 entries are superfluous.