What do we mean by "signing over their contributions"? The Apache CLA mainly says that you own your contribution and are allowed to make it (similar to the Linux Certificate of Origin), and if you have patents covering this, you agree to give the project a royalty-free license, things like that.
In the case of the Apache CLA, you do not assign copyright, you keep it. You just agree to license it under the same license.
It's pretty clear how it can help them, by covering their ass (you can't contribute code that you have a patent on, then ask for money from everyone, SCO-style, or them getting sued if you contribute code you're not allowed to), but not in a "we can relicense your work and charge money for it" invasive way, anyway, not that I can see?
It's that latter part that I'm trying to understand better. If you sign an Apache-style CLA with someone, can you get screwed over?