It allows the attacker to freely double spend their own coins. But nodes checking the validity of all transactions are what prevents the 51% attacker from accessing anyone else's coins.
Maybe that's the reason exchanges back then approved transactions of Bitcoin that had "3+" confirmations.
Gambling websites also required 3+ confirmations around 2013, but now it's reduced to 1+ confirmations looking at how hard it would be for someone to double-spend their coins on the website (there's still a possibility of performing the 51% attack, but the malicious party will waste their resources looking at the current overall hash rate of bitcoin network)