In addition to defense-in-depth—simply adding a bunch of imperfect layers and acknowledging that no individual layer like this is all that effective on its own—there’s a component of creating signal: it can be pretty trivial for a motivated attacker to bypass a WAF, however it may not be trivial to do so without creating a paper trail of event logs, which can be used to trigger automated blocks or escalate alarms for a human to intervene.