"Accountless report categories" allow sending reports to other instances on behalf of the service user
When there are active accountless report categories, the instance can be anonymously used to send ActivityPub spam to other instances by reporting federating content. The better behavior would be to only allow reporting local content anonymously.
I got a heads-up from the admin of another instance when during an authorized penetration testing automated tools created a dozen of reports on their content.