About security concerns using in find -exec vs interactively performing the same task

My question is not aimed specifically at understanding find's and its -exec option's security implications, but more generally at understanding why (if at all!) such programs are particularly exploitable with respect to an interactive approach to accomplish the same task. For instance, [here's an example of a command that is described as risky](https://www.gnu.org/software/findutils/manual/html_node/find_html/Race-Conditions-with-_002dexec.html) : >

> find /tmp -path /tmp/umsp/passwd -exec /bin/rm
>

> In this simple example, we are identifying just one file to be deleted and invoking /bin/rm to delete it. A problem exists because there is a time gap between the point where find decides that it needs to process the ‘-exec’ action and the point where the /bin/rm command actually issues the unlink() system call to delete the file from the filesystem. Within this time period, an attacker can rename the /tmp/umsp directory, replacing it with a symbolic link to /etc. There is no way for /bin/rm to determine that it is working on the same file that find had in mind. Once the symbolic link is in place, the attacker has persuaded find to cause the deletion of the /etc/passwd file, which is not the effect intended by the command which was actually invoked. Now, first and foremost, I don't understand why the "time gap" is even necessary for the security issue to exist; I mean, _an attacker can rename the /tmp/umsp directory, replacing it with a symbolic link to /etc_ even before find runs at all, wouldn't the result be the same? Secondly, since the intent of the command is to delete /tmp/umsp/passwd, I could have done /bin/rm /tmp/umsp/passwd. Wouldn't I incur the same risk of an attacker having performed the aforementioned substitution before I run this command, possibly right after I've cat /tmp/umsp/passwd to makes sure it's the one I want to delete?