This is mostly the case because most solutions provide more than the bare minimum of DOM rendering and event binding that a web view originally entails. Once you "accidentally" ship an entire browser inside your app, you've opened up more vectors for vulnerabilities—such is the price of humanity's hubris in attempting omnipotence.
Then second aspect is the "well-hidden" JS runtime or the general dislike of Javascript, but this point has been explained by other commenters well enough.
> Once you "accidentally" ship an entire browser inside your app
That’s not needed. Generally there’s a webview available on the system of choice. All major platforms have it, including mobile and many Linux distros.
> vulnerabilities
Such as? I mean yes if you load remote content with local access to FS etc (although that’s not within the webview). But you don’t need to (nor should you).
Then second aspect is the "well-hidden" JS runtime or the general dislike of Javascript, but this point has been explained by other commenters well enough.