Yes. If something goes wrong (someone manages to access the web UI, or a config file, for example), then they can control a program which is specifically designed for reading and writing files, running with root permissions. They can use this to read/write any file on the filesystem, and completely own you.
It’s the same argument against running any process as root unless it really really needs to. Except more extreme, because Syncthing is designed for reading and writing files: you don’t need to even try hard to convince it to read /etc/shadow.