A number of things: the filesystem could intentionally contain suid root binaries, world-readable/writable device files, etc. Additionally, auditing and fixing vulnerabilities in the parsing of filesystems isn't a huge priority among kernel developers (which is one of the reasons why removing the privilege check for user namespaces was extremely premature). It's effectively the same impact as if a bunch of buggy, exploitable system calls were added. You would hope considerable care would be taken in the latter case. This hasn't happened with user namespaces.