Because you could have code that alters the database, shows sensitive information or otherwise trigger events you only want it to execute under the conditions you design without error.
Many core files only hold functions which don’t execute if the file is accessed directly.
When they do alter data/files they usually check for $_POST actions, Nonces and verify user permissions before actions are taken. Often times the permissions check is the first thing in the file.
if ( ! current_user_can( 'list_users' ) ) {
if ( ! current_user_can( 'create_users' ) && ! current_user_can('promote_users' ) ) { wp_die
if ( ! defined( 'IFRAME_REQUEST' ) && isset( $_GET['action'] ) && in_array( $_GET['action'], array( 'update-selected', 'activate-plugin', 'update-selected-themes' ) ) )
if ( !current_user_can('export') )
If those checks fail they typically terminate the request
wp_die(__('You do not have sufficient permissions to export the content of this site.'));