Why does angular add ng-version attribute to the app-root html tag

Angular uses this attribute to tag the element that was used to bootstrap the application.

See also https://github.com/angular/angular/commit/a4de214e2be5048f1261d043cc467a5ecaa5c909

Hiding it would only be security by obscurity which is not security.

It's an old question, but still relevant and the accepted answer could be misleading. According to Miško Hevery: "This is there intentionally, so that tools such an augury, can detect that it is an angular page and can provide useful UI."

It is not a security issue in itself, but hiding it isn't "security by obscurity" either, as that would mean that's all the security measures you take. In fact using obscurity is a good practice as it makes information gathering (recon) harder for the attacker, but one must never rely on this alone.