KISS principle - “Keep it simple, stupid!”

There is no need for token, it just add complexity and slowdown development, because for to have nostr token, it need to be in core - NIP1. If it's not in NIP1 it's better to use anythink already existing because it's not forced.

Right now, implement Nostr protocol into existing social network as alternative API is hours or days max, with token, they need to do a lot more work.

Attack vector - there are also legal reasons. Look at LBRY project. They has been targeted by SEC.