Agreed. And even though their goal is probably not literally "database reconstruction" but just generally "obtain the information", to get "everything" you'd have to be prepared to scrape a bunch of different pages in ACP per user to collect that info, and hope that your compromised account and online access utilization of the live board will go undetected until you're finished scraping thousands of users and posts.
Database download gives you all of that in seconds, without necessary preparation, and in one shot; 100% of data compromised, in little to no time.
And as Steve said, there are important things they wouldn't be able to collect using the ACP, either. For example, if they wanted to collect and test against the password hashes of the user accounts; you can't "see" or "get" that through ACP, but it's in the database. And as mentioned, there isn't a path in standard phpBB ACP to read a user's private message inbox or outbox.
Overall, even though I agree that "it seems weird that there isn't a secure way to do that", it also seems like a good compromise to have implemented a change that requires "the intruder will need to have compromised your actual hosting account, too" in order to easily get "everything." Versus "having compromised phpBB alone is enough" to have enabled such a quick and complete "hit & run" data exposure.