Because you can't trust what a web server's sending in the background and will still be interpreted by your browser. James cover's it quite well in the video Solene linked to: www.youtube.com/watch?v=9Q3GCz…
The usual approach to web security it to try and patch all the holes, e.g. the need for NoScript, UBlockOrigin, uMatrix, cleaning out cookies and SuperCookies and so on. Have a look at coveryourtracks.eff.org/
to see how much stuff your browser is leaking about your computer.#Gemini
comes at it differently - obviate the need for those by only responding securely with a specifically requested document, and let the client handle the formatting according to the user's taste: either elegantly (ala Lagrange) or minimally as in the terminal-based clients.
markup is a little minimal for my taste but it has encouraged experimentation, both is what's essential for a hypertext system for primarily textual documents, and because the protocol is so simple, what's possible in creating new clients and servers. GemText is also easy to archive which can't be said of many websites that build their pages dynamically.