Currently because about:home snippets wanted the ability to install social providers without showing the doorhanger all moz-unsafe-about urls were given that ability. Some about: urls are explicitly designed to display injected content, and even though we usually try to prevent scripts this opens a fairly large attack surface. Add-ons can also install additional about: urls and may be of varying quality. We can whitelist about:home if necessary, but other moz-unsafe-about urls should not get this power. [It's fine if chrome-privileged about: pages are allowed to bypass the doorhanger. Being chrome-privileged they could already do that the hard way if they were malicious.]
This as fixed in bug 1014332.