It can be used to break out from restricted environments by running non-interactive system commands.
The --split-string allows multiple additional arguments to be supplied. The first
positional argument not containing an equals sign (=) will be executed as a
command, all following arguments are passed to that command as arguments.
env '--split-string=sh -c "id > /tmp/pwned"' foo