likely intended more as a lint than a security feature, it's not unusual to want to exclude commonly misused features from your code and any libraries you use.

Knowing the mess that is the php standard library, I imagine many applications would want to just straight up ban the really bad parts.

> I'm struggling to think what it's for then?

Placating some users - mainly shared web hosting providers - who still think that disabling functions like system() and exec() is an effective security measure.

a lazy security feature that stops 90% of problems?