because the web is broken in every way imaginable for no reason and should have been discontinued about 14 years ago. but this is really old, now my favorite is dns rebinding [1]. this has to be one of the most beautiful examples of how core web devs do not understand ANYTHING. every single thing they have ever done is a misconception. not a single web dev related disclosure for the last 20 years has given me insight on how to design secure systems; it's always just a thing that would not exist in any alternate design.
Sending credentials and cookies to third party sites is the original sin. It should have never happened. We keep it because it is useful for advertizers [1]. Same-origin is just a huge and complicated band-aid to close the gap. Without same-origin and credential passing, you could have really cool mashup apps - one page could scrape another (uncooperating) one and display the results in a new way. Heck, you could write a browser in a browser if you wanted.
[1] How would you implement third-party login and similar useful things without it? Your page's script could pass the neccessary cookies explicitly to the third party script, or you could go around the backend and have server A tell server B who a session belongs to.
1. https://github.com/mpgn/ByP-SOP