Mounting efivarfs read/write by default can lead to accidental deletion of the EFI variables. It was already reported on Arch Linux forums, that running 'rm -rf' over a directory structure with mounted efivarfs did actually "hard-brick" some MSI notebook.
Well, there are tools that actually want to write it. We also expose /dev/sda accessible for root, even though it can be used to hose your system
The ability to hose a system is certainly reason enought to make sure it's well protected and only writable to root. But beyond that: root can do anything really.
-- poettering closed this 6 days ago