Security headers are basically headers that protect the requested & the requesting browser from executing malicious code. That is, it protects both, you and your site’s user in case the web app is injected with malicious code on the page.
In WordPress Security headers are served directly by the web server i.e. Apache, Microsoft IIS, etc. So, for example, take a scenario where a page has been injected with malicious iframe. Now, when the server serves that malicious web page to a user, it serves it along with some security headers. If the right kind of security headers are present (X-Frame-Options), they will stop the user’s browser from showing that malicious iframe.