I think this is a case of foundational, best or most correct answer versus the simply correct.
RUM is pretty spooky and to do it in most jurisdictions you’ll need to have consent(specific) for the processing of this personal data. You’ll need to capture everything you do with it to ensure accountability, considering why and how you process the data and why. Moreover, in regards to harm you’d only start to really consider what the false negative/positive metrics meant to the individual in terms of harm, their interests etc. Often a detection will just alert a person that they should take a look.
So while I think you totally consider false positives, I think that they are downstream of the privacy considerations and their impact will depend on many factors.
Unless of course the system doing the RUM ‘releases the hounds’ or similar on a false positive with no human in the loop to countermand this.