> complaining about APIs like Web USB, but I never got why

I think that these people are not complaining about the API itself, which might be well-designed. The problem is, in my opinion, elsewhere.

It seems to me that the main reason for criticism is that having a browser perform operations on your USB port or on your Bluetooth is potentially dangerous, if you do not know what you are doing.

At the same time, the target audience of these APIs is typically the people who cannot be bothered to or are unable to use a command line tool. So, in a way, by having these APIs in the browser, a potentially dangerous tool is being put into the hands of people who may not be capable of realizing how dangerous it actually is.

I think it is fair to note that some people often do not review the scripts they download before running them, either. They just trust the source. Which might be a good-enough approach in some cases. From that point of view, having the browser run a script from a trusted website and operating a USB device is similarly safe. Or similarly unsafe.

But with a browser having this kind of capability, there are other threat models. If a scammer wants to read the user's USB devices and look for something to exploit, they can either ask the user nicely to run their probing script. Which, for better or worse, many people that may be prone to this kind of attack, would just be unable to do.

Or, an attacker might simply use the browser's API to do the same thing. And they may even present a nice guide to the user explaining how to allow it to run. It seems to me that there is more people who would be prone to falling for this kind of trick than there is people who may be tricked into and capable of running a script.