I take back the claim that it was configured the same as the others.
These 2 were checked.
Scan files outside your WordPress installation
Scan image files as if they were executable
That said, Wordfence should still work even if they are checked. I've left them unchecked for now.
Why would Wordfence struggle mightily if these are checked?