I came here for the same reason. As a good practice, I never give Flash objects access to my own page. They should generally not need it and it protects me in the event Twitch is compromised. With allowScriptAccess=always, if an attacker gained access to Twitch’s player they could use it as a vector into anybody’s site.
Why does the new player require elevated permissions now? It puts third-party websites at risk for no apparent benefit.