I know that these transactions have traditionally been a risk to give in a production systems, even with display only access. However, SAP has improved authorization checks on these tcodes so that execute capability is only allowed if the user has S_DEVELOP with activity 16 and the name of the program or function module being executed.
Is there still a risk in giving these and if so, can you please describe them?