There’s a difference between doing things to a user, and doing things as a user.
E.g. when you are logged in you are the current user, but by default in WP CLI there is no “current user”. You can specify this via a parameter but adding a user via wp-cli.yml saves time. You may even create a dedicated alias for running commands as that user.
Furthermore, why is user: admin recommended as a default value? That username hasn’t been default in WordPress for several years already… are there security or usability concerns with defining this global option, esp. depending on various web hosting environments that may or may not include user-level wp-cli.yml files?
There’s been a misunderstanding, admin is used as an example, not as a recommendation. The documentation is not telling you to use the value admin or suggesting its best practice. Rather it’s providing an example so that people who want to use this option have an example they can compare against.
It’s not telling you to use admin, it’s saying if you wanted to use user with a value e.g. admin, that’s what it would look like. You can see other uses of the user directive further down.
are there security or usability concerns with defining this global option
If you have WP CLI access then it does not matter what the user parameter says, access has already been compromised, it’s already game over. This is like asking if the shape of the buttons on your personal safe matter to burglars, after all WP CLI provides many other options, as well as --user.
but what is the purpose of having a default WordPress user specificied in wp-cli.yml exactly? If anything, it seems a bit risky, or confusing.
Then don’t specify a default user, most people do not do this, it requires additional steps. Most people don’t have a config file in the first place when using WP CLI. It’s simply an option that is available if it’s convenient.