There is no exploit... for this specific site.

But the WAF rule is not site-specific.

Almost all of your comment is asking site-specific questions, but that's barking up the wrong tree. The WAF is working under a completely different paradigm.

It especially doesn't know about specific user rules within a specific site! Or file permissions. None of those are in scope for the WAF. The WAF is trying to protect a million sites at once.

> Isn't it defeatable if I chop up the keywords into benign ones, store as variables, and then expand them?

That might work half the time, but not the other half. The filter isn't pointless, it's just being badly and annoyingly applied.