I think that the idea is that the invoker servlet is primarily for debugging an application - it's used when the names of the servlets you will be using are subject to change, and so you can't create the mappings.
However, once a product is ready to go to production,
you should explicitly map all servlets; that simply means you have your application well defined and not only that it provides a little extra modicum of security.
Me, I don't know that I agree with this particular argument, and I usually enable invoker and leave it enabled. It makes it very easy for me to send a
test servlet to my client to have them check something out.
Joe