It isn't about security, it's about controlling the default baseline ecosystem.

If it were truly about security A) it'd actually be secure B) it'd be way more user-hostile than a client-side ACL.