Hi Tim,
Sorry for the slow reply.
These options only scan against the official files in the repo. If there are new files then the scan doesn't doesn't pick them up.
i.e.: pluginname/maliciousfile.php
maliciousfile.php isn't in the official plugin repo so isn't reported as being changed but still needs to be identified as a file that isn't in the repo and shouldn't be there.
As pointed out above there is clearly code in wordfence (or used to be) that lists additional found files that are not included in the official plugin/theme but it's currently not being triggered.
The bottom line is that it appears that it is super easy to hide malware in WP-Core or a plugin or theme folder. If it's a new file that doesn't exist in the official repo the "compare against repository versions" scan doesn't pick it up? I did some tests a week ago that failed to pick up malware this way.
Thanks!
