And that what was i pointing to, when you copy and rename using single API, you are still disclosing the operation to Defender and it might also block it, but when you read it in whole or partial and at the same time writing data to another file, these are internal operation to your application.

Do you get the idea ?
1) Copying a file with the help of the OS UI like Windows Explorer, and
2) copying the file using an API, and
3) creating a different file then read data then write it to the second, in other words copying the data from within the file, but not the file.
these are different operations and Windows Defender will be not watching and reacting them the same way, each one has collection of rules to watched and checked.

Defender is not a simple scanner but also real time protection with heuristic and behavior analyzer scanner.