For the sake of this argument, lets suppose you run a git server. Users $(ssh) into your host and are only allowed to execute the command $(git), for instance for submitting a copy of their repository. You think: It's fine, the user cannot mess up anything on this system since he is restricted to run git.
Allowing any user $(git) access is as powerful as providing the user a $(bash)
Suppose you've got a build pipeline. The pipeline executes $(zip) at some point. Executing zip is as powerful as providing any of the pipelines users a $(bash).
And that is the whole idea of having a list like this. These tools by default have some capabilities which can easily be executable. You need to mitigate each of those. Because they are insecure by default.
Allowing any user $(git) access is as powerful as providing the user a $(bash)
Suppose you've got a build pipeline. The pipeline executes $(zip) at some point. Executing zip is as powerful as providing any of the pipelines users a $(bash).