On Linux, the four filtered syscalls are fork(), vfork(), execve() and execveat():
Many remote code execution exploits work by executing a very small amount of code within the vulnerable process in order to start a separate process, normally a shell that's exposed to the network. This new process then allows much broader access to the rest of the system, opening the door to further vulnerabilities that are perhaps not remotely exploitable. If the syscalls that would be needed to start this separate process are blocked then this common exploit technique is not possible.
This is all somewhat theoretical right now since there are no known vulnerabilities, but Elasticsearch has these protections in place just in case one is discovered in the future.