The safeguards for Fable are very conservative right now since it was banned once. It even bumped me when I was creating something related to my network security.
The hardest part of review tools like this is signal-to-noise — one round of false positives and people start reflex-accepting or muting it. How does Ox decide what's worth flagging on a given PR, and does it dedupe against pre-existing debt so it only surfaces what the change actually introduced?
In my company, we use CodeRabbit with Azure DevOps and it flags a lot of things and mostly they were false positives so eventually we stopped relying on it.