You want to know the difference between Read and Open on application file access settings in the Global Application Monitoring settings

Component : Endpoint, Global Application Monitoring

Application File Access monitors the files that the application itself uses as it writes to and from the disk or other locations.

The default setting is Read which will hook into the the application process as the data is being read and uses less resource.  However sometimes applications don't tolerate this and can freeze or crash.  So alternatively you can use 'Open' which targets the same file but with a separate processes outside of the monitored app. It creates more overhead, but usually has less of an impact on the app.

Use cases for AFAC tend to be fringe - really only needed if you absolutely have to scan the app data before it is transmitted by other channels. As an example, when you activate a browser channel you are basically using AFAC to read the post inside the application before the browser encrypts it.