Because strong_parameters are there for whitelist params before update or create a record. While on
edit action there are not any action over db records, and it isn't necessary to whitelist any params. On
create controller actions there are action over the db, and any parameters that is not whitelisted is forbidden.
Also rails guides show the same definition: "With strong parameters, Action Controller parameters are forbidden to be used in Active Model mass assignments until they have been whitelisted. This means you'll have to make a conscious choice about which attributes to allow for mass updating and thus prevent accidentally exposing that which shouldn't be exposed."
The most common example is when: In your browser you can edit a field name and change
<input name=user[name] ...> to
<input name=user[admin] ...> then at the form change value to '1' and submit. Without strong parameters
user[:admin] is a valid parameter and get changed at the database. Further, at the
edit action, there are no risk of any impact on the db, because you are only sending a form to the browser.