Because Apex generally runs in system context, permissions, field-level security, and sharing rules aren't taken into account during code execution. This might put applications at risk of inadvertently exposing sensitive data.
Apex classes that perform direct or indirect database access
Apex web services
Apex classes that expose any REST resources (via Apex REST annotations)
Apex classes that are used as controllers by Visualforce pages, components
Apex classes that are used by Lightning controllers
This rule will not trigger on test classes