TYPO3 Core

The class

TYPO3\CMS\Extensionmanager\Controller\UploadExtensionFileController

has the __destruct() (calling removeBackupFolder()) method which will be called after unserialize().

Another example:

TYPO3\CMS\Core\Service\AbstractService

If this class does not need to support for serialization, we should consider implementing the method __wakeup() and throwing an exception.

If the class really need to be serialized, than there should be additional checks done before removing a directory (like checking if the deletion takes place in typo3temp, etc.)