So I can tab-complete files inside a tarball without getting pwned by a malicious filename. So my prompt can show when I'm in a git directory without giving RCE to every script kiddie on the internet. So I can actually read scripts before running them instead of giving up because even the cleanest, best-written sh is by necessity full of underhanded hacks.
Shells are combination development environments, programming languages with primitives and standard libraries, and UIs, and as such need to be exactly as security-minded as any other standard library, IDE, or file explorer.
Read scripts before running them, so you can't do that in BaSH? I do acknowledge the first point you made about a malicious filename though, there should be a safeguard against that, although in all honesty if someone is planting malicious files in your system that you've got bigger issues.
Shells are combination development environments, programming languages with primitives and standard libraries, and UIs, and as such need to be exactly as security-minded as any other standard library, IDE, or file explorer.