Okay this can be closed. Turns out the file path that I was hiding had the word "vendor" in it. Found out by copying the file elsewhere, renamed it and it was able to detect leaks.

The word vendor is in the global allow list by default in the config file. Looks like I'll need to supply a custom config file to remove that allow.

--log-level trace did not show any extra details.

Originally posted by @jbyardi in #1510 (comment)