In many cases, peer classes in the same package have the same author, thus he knows about the inner way these classes work, or in other words he knows about the encapsulated logic of these classes. Thus he can make sure that package-private accesses between classes adhere to the encapsulated logic of the accessed class and that these accesses do not break anything.
These direct accesses are often useful for optimizations and for keeping the amount of source code smaller.
For the question part why outer classes may be package-private, but not protected, I have no answer.