Even simple HTML pages may require Javascript and want to run code on your computer or phone. You need knowledge of the document, knowledge of its author, or constant keepup and awareness of browser settings (e.g. did some update re-enable Javascript) to mitigate this.

A .gmi is 100% certain not to need any extra code capable of potential unwanted external communications, not now and not in the future.

Also .gmi is extremely simple and can be rendered very simply (and thus more securely) because it can be processed nearly statelessly line by line, without need of a rendering tree or document model.

I think some of the point is what you can’t do with it rather than what you can. It’s an intentionally very restrictive protocol.

Nothing.

But that's not the point.