Because it is possible to steal data even though it is on your own browser.
Since you’re a discord user and a developer, you probably have seen this:
I used to make a code which was getting user’s token (this is what runs a selfbot) using an eventlistener and then sending to my website. If I gave this code to someone who’s not a coding expert to run on his console then imagine what would happen.
And yes the user runs it on browser. harmless, right?
And if a varifying system relies on the front-end javascript then this is easy to bypass using a XSS code.
You prove my point now, but the backend however has to be secured too, or else it will make things even worse.
Take executing eval on node.js as example, you MUST have to control or patch this one or else an exec command will ruin the whole server.