I think the main reason is that powering off a device (for their hardware kill switches) connected via USB is more reliable than powering off a device connected via PCIe.
There's also just more layers of security when using USB as opposed to a single layer with PCIe (IOMMU -- which is secure as far as I know but I'd prefer to be safe rather than sorry in this case).
I thought of the kill switch thing after commenting… eGPUs (necessarily) have the ability to be unplugged while running, but I think it was a lot of work on the part of the OSes to make that work well.
Besides IOMMU bugs, which silicon vendors often subtly add to their errata too much for my comfort; an IOMMU adds security against DMA attacks in theory. I specifically say in theory because oftentimes vendors either don't configure it correctly or leave it totally unconfigured. Additionally, things like multiplexing on the same bus further complicates things
