Because there is no user interaction, leaked M2M credentials (depending on what they are authorized for) could be used to create access tokens directly, whereas a Web app typically does require user interaction and consent.
I think the primary concern with leaked Web app credentials could be the ability to impersonate your application resulting in potential access to resources. For example, with the web app client secret a bad actor could impersonate your app, intercept an authorization code in an authorization code flow and exchange it for tokens.
Because the Web app credentials aren’t able to be authorized by the Management API, they wouldn’t be able to use any methods against it.