A reentrancy attack happens because the EVM doesn't allow concurrency. This means that two contracts involved in a message call cannot run simultaneously.  An external call pauses the calling contract's execution and memory until the call returns, then execution proceeds normally

Software engineer. Building and learning in public, solidity/EVM. Building Stablecoin infra(zeneca.app)

ialmanza.com

what is the mental model about smart contracts that allows you to understand this properly?

i read that but didn’t understand what you mean.

learning how to write (both words and code) /anky

Yes, I think the best explanation: a smart contract can run a task at the time. The vulnerability happens when an Attacker contract calls a Victim contract creating a loop allowing to drain the funds in the smart contract