See replies below
Other commenters posted before, and I think they track the issue.
It's not security that the problem, it's privacy. If you email a link with embedded Scroll To, the full URL goes through the internet to the server, thereby announcing to said server the true sub-content that you are specifically interested in. Imaging looking up a full text of a day's court precedings but you're really only interested in the trial of the well-endowed pRon performer. The server now knows this if you clicked that Scroll To-embedded link.
However, if it were implemented exclusively in the browser then said browser can strip the Scroll To content out of the URL prior to transmission, only keeping the Scroll To content to itself. It would them act on the Scroll To content when the page was received by using a JS-activated Find In Page function, thereby keeping outside entities out of the Jump To functionality entirely.
But now anyone clicking on a Scroll To-enabled URL is giving away their full intent, not just a general idea, of exactly and precisely the content that interests you. Direct marketing, hidden profile building and user telemetry all get an enhanced hit, thanks to embedded pinpoint scroll to only the sentence you desire
I'll make sure NEVER to click on that type of URL.