Not only that, but asking it to do a security vulnerability assessment of your own project is a very valid and important thing, and there is no way for it to know what is yours vs someone else's, so we just lose this capability?

Yeah it just uncovered quite a few flaws it than refused to fix :-(