Looking at the code, it's not clear to me how much has broken because of the fork, and how much has broken because of the "secure context" security patch that ACF have apparently also applied in their own version.

That is, I think some of these things might have broken even with the real ACF.

The main change appears to be that if a developer has used a built-in wordpress function as a filter hook (rather than a user-defined one), that has been blocked. (This has never been a good idea, anyway; developers should not do it.) Also a filtered version of the POST variables has been passed to the callback. These are both seemingly to stop CSRF attacks.

This patch was necessary; it prevents CSRF and potentially other nasties.

I don't mean to excuse any of the other bullshit; I'm just saying that if there are "breakages" here, they are likely to do with the necessary patch that is hidden inside the gaslighting.