I think the argument is that file permissions may not be applied as rigorously, with the assumption that SIP is in effect.

SIP won't save you from wrong file permissions.

And SIP doesn't defend you from editing files in /bin. They are guarded by the fact that root filesystem is mounted read-only.

With SIP enabled it’s not possible to load arbitrary kernel extensions, for one - they must be signed.

Entitlement stealing, for example.