I don't really understand how this is so hard to get. Is this a phenomenon of using "full stack JS" for everything and tools that intentionally try to hide the boundary between client and server? If that's the case then why are the tools designed to cause those problems?
^ This and also taking a shortcut is easier. For teams that are not full-stack, doing it client-side means you don't have to bother the backend team for more APIs or wait for them to implement it fo you.
Lack of security mindset. It's important to have the fundamental habit of assuming that every surface area you expose could receive arbitrary inputs and will not necessarily only interact with code you've written. But that's not an innate thing that everyone knows without explicit learning/training.
