why- Open BSD .rocks

file(1) (∞)

file is sandboxed and runs as the _file user.

Think of the following: You download a random file from the internet and analyze it using file. If file has a security hole (local code execution for example) and the downloaded file is configured to exploit this, it can run attacks. That’s why the file utility is sandboxed and chrooted by default.