There is a fundamental technical reason why these tools cannot work as advertised. Facebook enforces server-side access controls tied to authentication tokens and audience settings. Their API simply will not return private data without explicit permission from the account owner.
Even if a user’s profile is private today, they may have had public settings in the past. Google’s image cache often retains profile pictures, cover photos, and even album photos from these earlier public periods. Use the search format: “Name” site:facebook.com in Google Images.
If you’ve ever entered your credentials on a suspicious site—or even if you haven’t—enable 2FA on your Facebook account immediately. This adds an extra layer of security that can prevent account takeover even if your password is stolen.