Because of clientside Javascript CSRF, which is not a common condition.

Client side js is not particularly relevant to csrf.

	▲	tptacek an hour ago \| parent [-]
		I mostly agree, but that's the logic OWASP uses to argue you should still be doing explicit tokens even if you're using SameSite and Sec-Fetch.