[wild_preference]

The browser's Javascript console also only runs code locally, but getting people to copy code into it is a serious attack vector.

Not saying that's Apple's reason, but being limited to local execution doesn't mean it's safe.

[krferriter]

Because javascript run locally can connect to the internet, and if it put into the console within the page on a domain that is storing secrets in local storage/cookies, it can scoop up all your credentials or other private information and send them to some other server. Unrestricted local execution can give up full access to local user's accounts, so is not good. Server execution can do that and also maybe impact other users.