Nonces should be used to verify intent of the user, especially on destructive actions.
Imagine there is a link user can click to delete a post. User can do it, so when they click is a post gets deleted.
Now imagine someone else tricks user into clicking this link (look at this cat pic!). User still can do it, so from access perspective they are allowed to and a post still gets deleted. But it wasn’t their intent to delete anything in this situation.
Nonce adds a level of protection into these situations by limiting the action to a specific user in a specific span of time. If nonce is used then that very specific nonce needs to be used to trick user into taking an action.