We had a bug bounty program manager who didn’t screen reports before sending them to each team as urgent tickets.
80% of the tickets were exactly like you said: “If the attacker could get X, then they can also do Y” where “getting X” was often equivalent to getting root on the system. Getting root was left as an exercise to the reader.
Security teams themselves make these reports all the time. Internal tools do not have the same vulnerabilities as systems which operate on external data.
Or as Raymond Chen likes to put it: "It rather involved being on the other side of this airtight hatchway".
https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
(actually a hitchhiker's guide to the galaxy quote, but I digress)