This is not hypothetical. Steam and Bumblebee did it.

That was the result of an additional space in the path passed to rm, IIRC.

Though rm /$TARGET where $TARGET is blank is a common enough footgun that --preserve-root exists and is default.

	▲	niyikiza 10 hours ago \| parent \| next [-]
		You'd be surprised to see how often we're seeing those types of semantic attack vulnerabilities in Agent frameworks: https://niyikiza.com/posts/map-territory/
	▲	cyberax 9 hours ago \| parent \| prev [-]
		Even better, $TARGET might be "/home/user/documents and settings /bin"

a_t48 10 hours ago | parent | prev [-]

Bungie, too, in a similar way.