这在ExecuteCallStmt中进行了解释：

/*
 * In security definer procedures, we can't allow transaction commands.
 * StartTransaction() insists that the security context stack is empty,
 * and AbortTransaction() resets the security context.  This could be
 * reorganized, but right now it doesn't work.
 */

实际上，StartTransaction具有

/* SecurityRestrictionContext should never be set outside a transaction */
    Assert(s->prevSecContext == 0);

这可以追溯到commit eedb068c0a7474fb11d67d03b0a9e1ded5df82c4：

Make standard maintenance operations (including VACUUM, ANALYZE, REINDEX,
and CLUSTER) execute as the table owner rather than the calling user, using
the same privilege-switching mechanism already used for SECURITY DEFINER
functions.  The purpose of this change is to ensure that user-defined
functions used in index definitions cannot acquire the privileges of a
superuser account that is performing routine maintenance.  While a function
used in an index is supposed to be IMMUTABLE and thus not able to do anything
very interesting, there are several easy ways around that restriction; and
even if we could plug them all, there would remain a risk of reading sensitive
information and broadcasting it through a covert channel such as CPU usage.

To prevent bypassing this security measure, execution of SET SESSION
AUTHORIZATION and SET ROLE is now forbidden within a SECURITY DEFINER context.

Thanks to Itagaki Takahiro for reporting this vulnerability.

Security: CVE-2007-6600

因此，其目的是防止权限提升攻击。
您可能想阅读this mailing list thread，它提供了更详细的解释。