It’s discouraged because other than limited permissions control on the server (directories mostly) there’s no user control, no authentication, no encryption.
Its typical use is in uploading/downloading network device configurations, firmware updates, etc. and that’s about it.
Case in point – we used to download all switch and router configurations weekly to a backup TFTP server, so that we had an audit trail of our configurations. Since I didn’t set it up, I don’t remember the particulars, but a determined internal attacker could theoretically find the TFTP server, download our router configurations, and crack the passwords. (Not firewalls – those were kept more secure)
Hope that helps,