A low-level account created later can suddenly "wake up" with Administrative or Domain Admin rights if those rights were pre-injected into the synthetic SID.
An attacker with high privileges (but perhaps needing to maintain long-term, hidden access) adds a non-existent SID to a resource's ACL. A low-level account created later can suddenly "wake
Standard security tools often monitor for changes to ACLs for existing users. Since the injection happens before the user exists, it can bypass traditional monitoring. it can bypass traditional monitoring.