My theme uses file_get_contents() and the filesystem f*() functions quite a bit mainly on commands I use for development and also from third-party components (not plugins, but PHP from Composer), are there exceptions to this?
Currently Theme Check shows about 80 warnings from the usage of these filesystem functions and I am unable to remove every one of them, especially from third party components.
There is no mention of file_get_contents() on the WordPress Theme Submission Requirements page.
I’ve already tested my theme on several different servers, PHP and WordPress versions, and with plugins for compativilty and there have been no problems.
Wherever possible, you should use the methods exposed by WP_filesystem class when implementing a WP theme/plugin instead of classic PHP File* methods. Why? Because of compatibility and security.
If you’ll have a look at core WordPress classes that cover the usage of filesystem, you’ll see that they cover many security cases, all kind of file permissions and file ownerships (required in shared hostings) and so on:
When you include third party content, I think it’s enough if you put in your item upload comment a link and a description to the official page of that third party component, so that the reviewer can know it’s third party code.