I understand (from reading Dive Into HTML5) that when an application with a manifest attempts to request files from a different domain, it may only do so if they are listed in the NETWORK section. Anything not listed in the network section will appear to be unreachable, even when online. This may be what that quote means by "protect(ing) the user from potential security breaches by limiting access only to approved resources" -- you may make a web application offline to seal it off from the rest of the web and prevent cross-site scripting.
It seems like some weird rules. And it doesn't look like there's much difference between a local file listed in NETWORK and a file not listed at all. (As you say, I don't get why you need to list something in NETWORK to ensure it is requested each time; surely anything not explicitly cached will be requested every time.)
Also I have noticed on Chrome (but not Firefox) that files explicitly listed in NETWORK do not fall back to the offline FALLBACK URLs when offline; they just result in an error. That could just be a quirk of Chrome though.