It looks like common case when map is used for some kind of authorization control. Simplified example could look like:

http {
...
    map $uri $mappocallow {
        /map-poc/private 0;
        /map-poc/secret 0;
        /map-poc/public 1;
    }
...
}

server {
...
    location /map-poc {
        if ($mappocallow = 0) {return 403;}
        return 200 "Hello. It is private area: $mappocallow";
    }
...
}

According to the manual:

default value
sets the resulting value if the source value matches none of the specified variants. When default is not specified, the default
resulting value will be an empty string.

It is easy to forget about default value. So malefactor can bypass this "authorization control" with simple https://targethost.com/map-poc/another-private-area. It will be great if gixy can detect such case.

Want to make PR but can't find in Block and Directive definitions how to get map block content :(