I noticed Debian does this by default and Arch wiki recommends is citing improved security and upstream.
I don’t get why that’s more secure. Is this assuming torrents might be infected and aims to limit what a virus may access to the dedicated user’s home directory (/var/lib/transmission-daemon on Debian)?
The point is also to minimize potential damages caused by a bug in the software. Just this year there have been multiple data-destroying bugs in publicly released software. If the app runs as a server it’s usually trivial to have it run as a dedicated user, with just enough permissions to do its job.
It’s just good practice, even though the risks might be low why risk it at all?