Maybe I don't see your point, but an iOS app could execute code locally. The only risk is the device owner could compromise the device. There is no [additional] risk of another user doing so.
Because javascript run locally can connect to the internet, and if it put into the console within the page on a domain that is storing secrets in local storage/cookies, it can scoop up all your credentials or other private information and send them to some other server. Unrestricted local execution can give up full access to local user's accounts, so is not good. Server execution can do that and also maybe impact other users.
Not saying that's Apple's reason, but being limited to local execution doesn't mean it's safe.