The ACF vulnerability that is "fixed" by the Secure Custom Fields plugin is not an actual vulnerability. The updated code path gets executed only if:
1. You're using ACF to define custom post types or taxonomies,
2. AND an administrator-level user has specified a custom metabox callback function that (a) already exist in your codebase and (b) is somehow malicious.