CONFIG_EFI_VARS exposes a lot of attack surface as it allows you to mess with EFI variables.
There have been cases of people bricking their computers by accidentally deleting EFI variables. An attacker might be able to do far more by writing specific things to them.
CLIP OS disables this.
CONFIG_EFI_VARS also seems to be a legacy option replaced by efivarfs.
This may break some things and requires testing and more research.