Because it installs like 100,000 python scripts of mystery origin that run with full privileges. Even if the maintainers are unlikely to be malicious on purpose, it only takes one person accidentally putting a typo in a dependencies file in one of the hundreds of packages it imports... many of which not commonly used ones.
It's better than nothing but is it enough to run potentially malicious code?
I haven't checked recently but a while ago most distros defaulted to letting anyone peep into other users' home dirs. Moreover there has been so many exploits over the years letting a user gain root privileges that, for the purpose of security, unix users are akin to a bathroom lock.