By default Kubernetes cluster has a taint on master nodes that does not allow to schedule any pods to them.
What is the reason for that?
Docker Swarm, for example, allows to run containers on manager nodes by default.
Safety during failures. Imagine if a pod running on a control plane node started eating all your CPU. Easy to fix right, just kubectl delete pod and restart it. Except if that CPU outburst has kube-apiserver or Etcd locked up, then you have no way to fix the problem through the normal tools. As such, it's usually just safer to keep unvetted workloads off the control plane nodes.