Why is the scalar component of the secret key in Ed25519 clamped as specified?
’Cause security, obviously.
For realsies, tho: clamping breaks the linear relation between secret and public keys, so stuff like hierarchical key derivation or plain outsourced vanity address grinding becomes difficult compared to cryptosystems with such a relationship (e.g., the secp256k1 elliptic curve with either ECDSA or Schnorr). In some cases, the damage is irreparable: as clamping leaves space for just 2251 secret scalars as opposed to ℓ = 2252 + … possibilities, arithmetic on public keys that would map to secret keys is impossible. It is relatively easy to get rid of restrictions by not clamping secret scalars, but there must be some reasons they’re clamped, right?
For real realsies, setting one of higher bits to one sort of makes sense; it enables to not allow for the zero scalar during signature generation. Setting lower 3 bits to zero might protect against extracting the secret key by solving a fitting hidden number problem (which were shown to be an effective attack vector for other cryptosystems, e.g., ECDSA).
Alternatively, setting lower bits supposedly protects against small-subgroup attacks, but relevance of these attacks to signing is a conundrum on its own (originally, small-subgroup attacks apply to key exchange).