Security teams have a laundry list of different focus areas for cloud applications. Salesforce is a cloud application that supports critical business functions and processes of sales and services. Built-in security does not offer the depth and breadth of insight needed to analyze and address risks that can impact other processes, applications, and the intelligent enterprise at large. Security teams must ensure that users have the least privileged authorizations possible ‘ no more than they need to perform day-to-day operations. A lapse in Salesforce authorizations can lead to a security or system administrator having the authority to modify access permissions, edit security configurations.
Source: https://www.helpnetsecurity.com/2021/04/12/salesforce-security-compliance/