penetration test – Can I inject a shell command here in PHP?

When reviewing the source code of a client, I found this code.

It gets the non standardized parameter of GET, disinfects it and does it shell_exec ()

$ arg = $ _GET['arg'];

// disinfection, I guess ...
if (preg_match ("/[#&\+-%@=\:;,.'"^`~_|!/?*$#<>()[] {}]/ i ", $ arg, $ match)) exit;

$ code = shell_exec ("/ some / app $ arg");

echo $ code;

I know you need to escapeshellarg () before moving on to shell_exec (). I am not here for this answer.

My question is, HOW can this code be exploited to execute arbitrary commands by an attacker? How can an arbitrary code work around this problem? preg_match?