It seems too risky to use Super Bot Fight Mode at the moment, even when it’s set to challenge “definite bots.” I read some other posts but they’re from a few weeks ago and I know this is a fairly new feature. People were asking for a way to whitelist, but that doesn’t seem like the best solution… more like sweeping it under the rug.
I had 6,000+ firewall events per day, including my own origin server IP classified as a definite bot. This interfered with the REST API, wp-cron.php (loopback requests) and possibly other things. This happened on a website using the Professional plan.
It doesn’t seem to be “definite” enough about what it’s blocking, but I admit this could all be due to something I’ve setup incorrectly outside of Cloudflare. I’ve turned it off for now until I can investigate it further.