Simply put, probability.
The likelihood of circumstances requiring the protection function to work is less than P=1. Therefore some failure rate of the protection system is acceptable. But for circumstances where you are deliberately testing a protection function, you can't take credit for the probability of the circumstances, because they are certain.
Its the difference between potential and certainty.
To take a different example - any takeoff can become a high energy RTO. The risk is known and managed. But a deliberate high energy RTO for test purposes is managed rather differently - fire trucks on hand, crews with protective gear, specifically briefed, and so on. Because now that the RTO is certain, the normal safety measures - having a fire truck somewhere on the airfield, for example - doesn't cut it. We need it right there.
Same for protection systems. Their normal reliability requirements are a function of the probability they will be required.
Bear in mind, too, that the design was operating believing it had one failed sensor (of 3) and with two remaining, that should be enough redundancy to complete a flight, since the chance of the next sensor failing combined with a "required protection" condition is acceptably low. In service.