People are going to give you an answer like "
sprays are disabled because of pornographic content", but this is the result of a bigger issue. sv_allowupload and sv_allowdownload are the two convars that, when disabled, prevent
sprays from being used. In particular, sv_allowupload, when disabled, prevents users from uploading files to the server (in most cases,
sprays). sv_allowdownload is what allows the client to request downloads from the server (again, in the form of
sprays more often than not). Both of these convars are heavily protected in that, outside of using an exploit, you can only upload
sprays with them. When using an exploit, however, you can do some pretty nasty things, like uploading a module to the server (a .dll or .so that the server will automatically load provided it's in the right directory), and then transmitting a module to the client (
here's an example of exactly that, done by someone who's now a Garry's Mod developer as an example of how much worse it could be) or downloading clientside lua files from the server (stealing content). FastDL works even with these disabled because the server directs you to download from an outside domain; the files are hosted on the website, not the server.
In general, this is why
sprays can't be used. You can see your own
spray, and people can see your
spray if they've seen it before on a server that has these convars enabled, which is why you can see certain other people's
sprays. There are methods to fix the exploits that exist with these convars, but in general, it's safer to either use an alternative
spray system that uses image files (like
SprayMesh) and tells you who
sprayed what, or to disable the
spray system entirely.
In other words, I'm saying that, although disabling
sprays was a desirable result, it's the side effect of a larger issue.