[eivarv]

I don't know. Implementing a browser in a browser can make XSS potentially bad, and I think it even lead to full on RCE in the earlier days of Brave/Electron. Still happens, I think (though to a lesser extent these days).

There's also the difference in time between committed patch and end user having a new release in the case of a critical vulnerability, for instance.

Using an embedded browser framework introduces many intermediate parties, some (many?) of which might not have being up to date with the upstream as a priority – which leads to a weakened state of security in the "browsers" downstream.