1) If your app has decent traffic it will be attacked. But we also describe how to scan your app with Arachni on our docs: https://docs.sqreen.com/using-sqreen/how-can-i-test-sqreen-d...
False positives on our RASP module are very rare. Most of our customers use it in blocking mode in production.
How we do it? By using the application context. Our detection is done in-app. It's based on parsers that tokenize the query and detect injections when the user input changes the structure of the query.
More details on our detection rules [1] and more details on how we do dynamic instrumentation [2]
2) It’s on the cloud [AWS]. But our agent doesn’t redirect your traffic or collect sensitive data. We scrub the data inside your agent before sending it to our servers (just like Sentry or New Relic). You can also customize this behavior. [3]