A long time ago, I thought the main argument for this was the following use-case:
1) Vendor XYZ has buggy drivers that can be exploited via GL
2) Malicious site uses GL_RENDERER string to guess that the person has the buggy drivers installed.
3) Malicious site uses WebGL to trigger this.
4) System compromised / crashed.
Now, 2) isn't a sure better since renderer <-> driver version isn't guaranteed, but if someone sees NVIDIA or AMD in it, they can at least ballpark it. This is probably the worst case scenario. (On the other hand, there is nothing stopping them from just doing 3) without using the GL_RENDERER string, so honestly, I'm not sure how much of a protection this really is - buggy drivers are buggy drivers, no way to get around that really.)
I'm not saying I buy this series of steps, but I don't think anyone has mentioned it yet (and if they have, I apologize o.o ).