The documentation for Workflow in 7.1 HelpCenter nicely discusses the risks behind using workflow.
Please bring the following text also to learn.liferay.com and (at least) 7.2 version of HelpCenter article:
Users with permission to edit or publish workflow definitions can add Groovy scripts to the workflow. Access to the scripting engine means access to the Java Virtual Machine (JVM) of the server. Users who publish (or edit) workflow definitions containing scripts, therefore, can get access to any data within the reach of the JVM, such as data contained in a separate Virtual Instance of Liferay DXP itself.
Because of this far-reaching access, permission to create or edit workflow definitions is limited to Regular Administrators of the Default Virtual Instance