Ok, let’s imagine a user that has a domain: example.org he has 3 application like WordPress, piwik, ownCloud installed in path like /blog, /stats and /cloud
When he logs in as an admin on each app, a cookie is stored inside his browser. The security policies of browsers make that the app have access to all the cookies stored for the domain.
Now let’s imagine WordPress had been compromised. The attacker has control of the WordPress of the user. It means he can gather all cookies of the user for this domain. so he can get access to the ownCloud admin cookie and login to the admin interface.
To sum up, when you use subfolder, it means that the security of the whole “domain” is the security of the less secured app. Is it clearer?
(The user that run the app does matter in this case, but not that much, we are more on the side of the browser)