My unstated assumption was that when calling something like imagetragick you would be doing the appropriate privilege dropping using setuid and setgid. This is obviously not necessarily the case, but it's at least a lot more common than people cleaning up the ENV before creating a child process.