If someone gained access to your Dashboard and were able to write PHP, they could potentially gain access to your server.
This is why DISALLOW_FILE_EDIT
exists, to prevent a bad user from writing PHP in the Dashboard.
That being said, these days they could likely just install a plugin like Code Snippets and write it anyways.
If your Dashboard is secure (strong password, 2FA), then this is less of an issue, and you can probably allow file editing.