Because it is fast enough, easy to onboard to with sane defaults. MS provided initial plug-ins and the ecosystem developed.

Threat model described is not unique to VS Code