Note that functions share the same namespace as other commands including commands in the file system, which on most systems have no limitation on the characters or even bytes they may contain in their path.
So while most shells restrict the characters of their functions, there's no real good reason why they would do that. That means in those shells, there are commands you can't replace with a function.
zsh and rc allow anything for their function names including some with / and the empty string. zsh even allows NUL bytes.
$ zsh $ $'\0'() echo nul $ ^@ nul $ ""() uname $ '' Linux $ /bin/ls() echo test $ /bin/ls test A simple command in shell is a list of arguments, and the first argument is used to derive the command to execute. So, it's just logical that those arguments and function names share the same possible values and in zsh arguments to builtins and functions can be any byte sequence.
There's not security issue here as the functions you (the script author) define are the ones you invoke.
Where there may be security issues is when the parsing is affected by the environment, for instance with shells where the valid names for functions is affected by the locale.