Because imo... that is the answer. We have seen so many stupid closed ecosystems of home automation stuff come and go, I dunno why you'd mess with anything else at this point. In fact I just got another email reminder that Google is turning off the old Works with Nest stack. Remember Nest? Yeah...
I think the issue is more the attitude towards security and system stability that is implied by such installation methods, which is apaprently endemic to the entire "JS ecosystem". That attitude being "who cares about security or stability?"
When It's my system and I don't want to mess with it, just set stuff up and have it run trouble free and do the things I want (and only I want), then I do care about such things and agree that JS has no place other than sacrificial toy boxes that get insulated from "real" computing like they was a modem with its phone number posted at the payphones by the 2600 meetup.
You don't give it root on your desktop linux system you do all your sensitive stuff on of course. That makes zero sense. Home assistant really runs great even on a cheap raspberry pi if you don't have a VM- or dockerserver.
also, your faith in "VM" insulation appaears greater than mine. if i dont trust a VM i dont trust the host running the VM.
others have different opinions and that's ok. my systems run to my standards, however quirky they may be. im stating opinion here, not attempting to inscribe Sysadmin Commandments. them's written on the wall of the bathroom stall.
edit: just for reference, the last cpu i could say i trusted was before speculative execution was a feature. since then its more about risk mitigation. i'm not paranoid, there's people worse than me, and they're nuts. I'm just cautious and lazy.
Real virtualization is a bit more airtight, though. There have been some escape exploits but they all abused drivers that you wouldn't use heedless (shared folders, VGA, PCIe passthrough), not the virtualization layer. But that's a distinction without a different, really, so good on you for being careful!