Justus,
So I believe most of the injection assertions work based on regular expressions. Depending on the size of the input evaluated and the steps of the regular expression you can see some time spent in evaluation. It would be useful to know how large of a request you are sending and what threat protection assertion you are using for this test. Also Audits can cause delays. There is a tactical assertion which also does code injection protection.
But the more items checked off on the top of the box body/path/query(body for example) and the more assertions used to evaluate regular expression can cause latency. So having some specifics may be of value.
Thanks!