> In what way is it harder to write a library that exfiltrates credentials passed to it in those languages?

It is not harder to write. It is more challenging to execute this attack stealthily.

Due to the myriad behaviors of runtimes (browser vs. backend), frameworks (and their numerous versions), and over-dependency on external dependencies (e.g., leftpad), the risk in JS-based backends increases significantly.