The owner or developer of the project may provide the ability to transfer assets from any user without having an allowance by providing an access in the code.
For example, the owner provides an access for himself in the transferFrom function, and when the value of the token reaches a significant value, he can quickly transfer all the users’ assets to the desired address.
This case was identified in a project that is still active by writing a rule for semgrep. Practically, this case can be seen as a backdoor, which has given too much permission to a team operator.