I think topjohnwu already explained well enough. Since SN checks not the "file integrity" of Zygote but the integrity of the running Zygote process in memory, it makes the spoof very difficult.
Since Zygote is loaded very early during boot and is actually the base of all system and app process (this is also why XPosed is so powerful by modifying Zygote), so it's always running and it's not so easy to spoof the memory contents (including code and data area) of a running process from another process, so there SN is tripped always.
However since there Zygote is modified by XPosed, maybe someone can modify the Zygotes in such a way that will pretent the integrity and thus will not trip safety net (like some root kit for Windows) but how and if this can be done is entirely beyond my knowledge...