[acdha]

MFA and persistence — especially if you use SSO. If you have credentials sitting around in your home directory they can be harvested from a standard location by malware and people are often very slow to rotate them. In contrast, if you're following Amazon's guidelines your console login will already have MFA and be using short-term credentials.

[yjftsjthsd-h]

awscli directly supports 2fa (https://aws.amazon.com/premiumsupport/knowledge-center/authe... ); I guess having to harvest cookies out of a browser profile is more work, but it seems like a small difference

[acdha]

It supports some MFA (e.g. not U2F / FIDO) and not if you use SSO.

The browser profile is harder to exfiltrate, in part because modern OSes have ways to restrict access to particular processes, but that was also only part of the benefit: the main thing is the duration of the session. Tons of people leave AWS keys sitting around in ~/.aws for ages.

You can setup schemes with STS but not everyone remembers that and with this approach you have a very simple answer: it always uses STS, there's never a file sitting around for someone to accidentally save somewhere they shouldn't, etc.

Nothing here is something you couldn't do on your own — it's just a very easy option with safe defaults.