I recall manually entered commmands have access to some APIs that are not normally accessible. Maybe timing related? So in the theoretical extreme, a timing attack to access something in your entire system memory and upload it via HTTP... while you watch the game play :)
Do they? It's easy enough to 'give' any API accessible to the console to the page by setting a variable from the page to point to a console-only accessible function.
Given there aren't many sites that say "just open the console and paste this command to win the big prize", I suspect that any console-only API's aren't very powerful if they exist at all.
Because normies are extremely susceptible to things like "hack Facebook, see the PMs of any hot girl u want!111 just right-click and paste this into your browser console trust me bro"
As well as the usual engagement driving "challenges" like "Omg did you know there's no country starting with Z! Bet you can't think of one!" meanwhile comments are filled with "duuuuh Zanzibaaaar!" and post engagement is >>>>>>>>>>>>
(Admittedly I typically browse with JS disabled...)