This blows my mind. What good reason is there for giving javascript such permissions by default? This should at the minimum trigger an explicit permission request from the user.
My guess would be that the internet is run by developers. Apps will want this data so javascript provides it to make decisions about window sizing and user agent capabilities. Authorization would probably only occur if javascript was gated by non developers just as SSDP open and forwards ports on routers without user intervention or knowledge rather than an API that prompt the user. Just a guess.
