In order to login through some captive portals on restricted networks you need a browser. Presumably you sometimes even need JavaScript, or else Nintendo likely wouldn't have included a JS engine since that greatly increases the attack vector.

It would have been possible to design a system of letting users read the ToS of a network and enter login information without needing an entire browser. Granted, it's probably safe to assume most captive portals aren't trying to exploit your non-traditional computing device (such as a Nintendo Switch), and if a user is changing the DNS to evade a captive portal and go to some other site, then any exploits that occur on their device are kind of their own fault, but it still seems like a suboptimal system. Either you're going to have a bunch of exploitable devices that otherwise would in practice be secure since they need to have a web browser, or you're going to have devices that straight up can't access many networks (since they don't have a built-in browser.) I'd argue the latter problem is even greater than the former: web browsers are incredibly complex! If your device is capable of running an already existing browser (e.g. Linux or BSD based systems), then it's not that big of a deal. But if it isn't (e.g. certain embedded systems), then it sucks, though there are sometimes workarounds to accessing captive networks without an on-device browser (e.g. AppleTV lets you login through captive portals on iPhone or iPad — works for people in the Apple ecosystem, but that integration isn't as easy with devices from unaffiliated companies.)

The Switch not only has a web browser, but a web server! (afaik its only used when downloading from the Switch's media browser app to your phone)