Someone might. It's always better not to introduce such code.

Unless I'm missing something, this seems a bit silly.

Why would I be any more likely to type `test.sh rm -rf /` that `rm -rm /`?

I think you're both right that the risk is low, assuming it's a build script that is to be run locally by a developer.

Code tends to get copied and pasted, and can easily sneak into other programs. Programs are integrated in ways which weren't originally intended. It's not a secure coding pattern, and that's why I mentioned it.

During security reviews, I would be focusing on more risky vulnerabilities, but I still review and flag findings in build scripts. I'm more concerned with build scripts downloading content over HTTP, or missing security compiler flags, but I digress.