I modified the README.md to be less confusing.
The anti-ransomware is basically rejecting everything that is not a read request on certain indices.
The "Full access for localhost, RO some indices from elsewhere" ALSO accepts anything coming from localhost. There's two rule blocks.
Blocks are evaluated in sequence from up to down until one matches. If no block matches, the request is rejected.