The code needs not be intentionally malicious. Just imagine that a Makefile contains a line
rm -rf $(VARIABLE)/path/to/somewhere
Now if $(VARIABLE) happens to be empty (perhaps only in your nonstandard configuration and not
on the developer's machine), pray that there is nothing important below /path/to/somewhere ...
That's just a simple example, it's easy to come up with more. It's not so much about
protection against malice, but protection against accidents. Accidents do happen, it's a fact
of life. If you want to drive without a seatbelt, all I can wish you is good luck...