Why don't rules include detection?

Hey, the rules make sense, but because they are so specific, I'm wondering why they don't i.e. contain a jsonpath or so to see if this risk applies to a given workload.

Let's take privieleged, there is a dedicated risk for it, I'd epect that it also contains a jsonpath to  validate if a workload is using privieleged in it's spec.