/etc/passwd is readable by design by every user in Linux. And you have it even inside the containers. If you set permissions to "readable by root only" normal programs won't be able to map user names to ids and your application might die
In modern linux this file doesn't contain any passwords, the only thing the attacker can gain by reading it is learning some usernames
But the WAF rule is not site-specific.
Almost all of your comment is asking site-specific questions, but that's barking up the wrong tree. The WAF is working under a completely different paradigm.
It especially doesn't know about specific user rules within a specific site! Or file permissions. None of those are in scope for the WAF. The WAF is trying to protect a million sites at once.
> Isn't it defeatable if I chop up the keywords into benign ones, store as variables, and then expand them?
That might work half the time, but not the other half. The filter isn't pointless, it's just being badly and annoyingly applied.