This behavior is apparently related to how Flash Player is a click-to-enable feature in Chrome now (Chrome Help forum discussion on this behavior). If you visit a SWF directly, it will not ask you to click-to-run, it will simply download it instead.
If you were to go to chrome://plugins/ and check "Always allow to run" it would play the SWF as previously normal in the browser directly, without the HTML wrapper. The fact it will not prompt you to enable it does not seem to be a security decision.
Is there any security reason why the former case should be treated differently from the latter?
All that being said, yes, I think there would be.
Imagine there was a website, say an old forum, which allows you to upload an avatar. It is expected you will upload an image file, but the file type checking is poor, and an attacker uploads a malicious SWF file instead, to perform an XSS attack on the site admins. Now, the HTML being generated for this avatar, might look something like this:
<img src="http://example.com/user/123/avatar.swf" />
That won't run as a SWF, so no HTML for the attacker. So instead the attacker tricks the admins into clicking a link to http://example.com/user/123/avatar.swf where the SWF does load, and that SWF performs the XSS attack as the privileged users, and PWNs the site.
Of course, such a risk is not unique to Flash Player. A similar attack could be performed with JavaScript inside an SVG instead of a SWF.
