WAF is enabled and optimized, so it’s loaded before WP is loaded. That should use less resources. In the past Live traffic was setup by default to log all traffic and that caused a big load ofcourse, so I’ve always set that to Security only, which is the default for a couple of years now.
I’m running 2 rather small VPS with 20-30 sites each, with Wordfence on every site. I’m monitoring the load on these servers and Wordfence is no issue.
Another thing I change in the settings is the Brute Force Protection. This is set by default to 20 logins, 20 password recovery attempts, within 4 hours, results in a block of 4 hours. My setup on every site is 5 logins, 3, password recoveries, within 30 minutes, results in 2 months block.
The rest of the settings are mostly default, but you can tweak it as you like. On YouTube there are video’s that explain every setting.
As I said before I’m not reporting. Or do you mean the notifications from Wordfence? I’m sending the High and Critical events to Slack by using Wordfence Central (also free). Everything can be tweaked to what suits your way of working.