I'm not sure how ACs work. Maybe they don't do it in-process since that's very limited but do it with a separate daemon that monitors OS syscalls?

I'm asking because I've read about many cases of devs who got banned because they used dev tooling (debuggers, profilers, decompilers, wireshark, etc).

AC is literally spyware.