When a function defined with security definer is called, PostgreSQL changes the session's rights to those of the user who defined the function while that function is being executed.
So, when bob executes the copy_from(tablename, filepath) function, bob is effectively promoted to superuser for the time the function is running.
This behavior is similar to the setuid flag in Unix systems, where you can have a program that can be run by anybody (with execute access) as the owner of that program. It also carries similar risks.