Installing this plugin would be a good reason.
It creates a cookie that could be mistaken as something malicious. It's vary rare that it would happen but it does. It's been so long since it has happened that I do not remember the exact string but it did happen several times.
Also I create a PHPSESSID cookie just to help keep the spammers away via my own construct and .htaccess. Since I use:
session.hash_bits_per_character = 6
it's more complex with the possible characters (0-9, a-z, A-Z, "-", ",")
which has also been caught as well. It's not the trust in the cookie that matters, but the string that is in the cookie value, etc. It's random, so it's possible it could look like an SQLi or something similar.
I maybe mistaken, but I'm under the assumption WordPress Firewall 2 just used $_GET and $_POST when checking for malicious strings. So if your plugin does the same, it will also catch false positives. It's pretty much possible with anything, not just a cookie. So basically without being able to whitelist certain forms, users will have to disable, certain protection options. Seems like it would make better sense, to be able to whitelist a form or page then just to disable a certain option. At least then it would still provide some protection and keep down on any false positives and make the plugin useful.