Until the classifier is wrong or also prompt injected. the classifier is just as vulnerable as the model itself is. Yes it is harder to break but trying to make a nondeterministic tool deterministic by adding another nondeterministic one on top just reduces the chance of something going wrong.

Tbf as long as that chance is low enough it doesn't matter in practice, but I have definitely seen the classifier approve things that were questionable, and I've also seen it decline things that were obviously okay.