Blame brings us to #12101, where @westi said this:
We also need to hilight that functions should check the capability as well and we ask for it to enforce visibility.
The commit, [12914], was part of 3.0. I thought that maybe the restriction on loading the function at all was only added later, but it was apparently added in 1.5.
My guess is, that maybe @westi didn’t remember this at the time he wrote the docs. That is why they seem to indicate that the capability provided will only be used “to determine whether or not a page is included in the menu.”
In addition, WordPress has a pattern of each admin page’s code being placed in a separate file. This allows the code to be run by accessing the file directly, which means that proper capability checks are particularly important.
Aside from this, there are no issues that could arise from not checking the capability that I can think of. It is still probably a good idea, just in case (should the function ever be called in a different context). This would prevent it from being utilized via an exploit of other code that had an arbitrary function execution vulnerability, for example.