Why Magento 2 have 2 possible root folder?

Using /pub is better, because it is more secure. Why? Because in that case most of Magento's code will live outside the public document root, so the possible attack surface is smaller. In other words, when you use the top level folder as document root, you have to make sure that various folders (such as app) are explicitly denied in your webserver configuration.

That said, not everybody can configure the document root, so Magento provided a top level index.php for compatibility.