In theory, this RST should be generated by the scanner's operating system in response to the left (from its point of view) SYN / ACK, which it knows nothing about (because the scanner sends a self-made IP packet via a raw socket, past the operating system's TCP / IP stack). However, a statefull firewall with a DROP policy can be configured on the scanner OS, or blackhole mode, when connection attempts to unopened ports or left packets are simply discarded.

Because that's how nmap works. RST is not sent on purpose:
https://nmap.org/man/ru/man-port-scanning-techniqu...
If you run nmap as a regular user, he will not have access to the network, bypassing the OS, and then scanning will go by the CONNECT method. This is longer in time, more noticeable on the target system, and that's when the RST packet is sent.