Root directory would be on that blacklist for sure.

Those "vague suggestions" actually seem to include some pretty specific examples.

> A user’s entire "home" directory. Individual files and directories inside the home directory should still be allowed, but user agents should not generally let users give blanket access to the entire directory.