Official reasoning may be much more sensible that mine but what I think is that SMTP is kept in the yml file because email is critical to discourse. You can not enter discourse as an admin without a valid email verification. Letting anyone register without any type of email verification is a risk in itself.
Also, people generally don’t change their SMTP settings very often once they have been set. I am an admin to sites running for over 8 years with no change to SMTP settings.