Hi, I'm the one who raised this issue with support. And wrote the (trivial) code that exposes the "allowDeletions" property.
David: the point is that if for some reason an administrator makes a configuration error when updating the ldap query to fetch groups or users, then all authorities are deleted and as a side effect so are their permissions on nodes. When the admin saw that the query was wrong, he changed back the query (the idea initially was to sync in more groups, but due to an error 0 groups were found). But by then all permissions had been deleted. We had to drop the repo and roll back from backup. That was in pre-production so no critical data was lost, but in production that would have been catastrophic.
The default behaviour is I think all right for 99.9% of customers/users, but I know one who has had and will have to tinker with group sync during the lifetime of the repo, and with automatic deletion on it is just too much of a risk.