Suricata.yaml: "runmode: workers" is wrong as default option?

Using the Intrusion prevention system with the default suricata.yaml results in decreasing of ~50-70% of my internet throughput (depending how many rules are active).
However changing the runmode to “autofp” the throughput penalty is just 10% regardless of the number of activated rules.
Why the recommended suricata runmode (i.e. “autofp”) is changed to “workers”?

Do you have a reference for this?

You didn’t mention which version of IPFire but according to the Suricata 6.0.1 documentation

Generally, the workers runmode performs the best.

For processing PCAP files, or in case of certain IPS setups (like NFQ), autofp is used.

The suricata.yml file does say that autofp is the default, but that’s not the same as it being recommended.

Beyond being able to read, I can’t claim any expertise in Suricata.