Hidden user attributes tend to be passwords or tokens so allowlisting URLs restricts where those passwords or tokens can be sent.

You wouldn't want someone doing something like, I'm going to use this user attribute on a schedule to a random place so that I can see the value of it.