A lot of the restricted stuff is cargo-cult fear of symbols that could be used in SQL-injection or XSS attacks.

A properly-coded system wouldn't care, but the people who write the rules have read old OWASP documents and in there they saw these symbols were somehow involved in big scary hacks that they didn't understand. So it's easier to ban them.