Imagine a /dev/halt_catch_fire that requires CAP_SYS_RAWIO. Your application runs as root but drops all capabilities, so you never bother making sure that it doesn't accidentally touch /dev/halt_catch-fire. Later, someone decides to add a more fine-grained capability and now either CAP_SYS_RAWIO *or* CAP_SYS_HALT_CATCH_FIRE is sufficient. Your application was previously incapable of setting the machine on fire, but now it can.
