Its a breach of security if we set System context if nothing is set, A simple example would be if you call a JSP from within your template you will have full access without even realizing.

If its a problem that workflow engine cannot set proper permissions, we can set SystemContext there instead of leaving this security hole.