Do you gain any advantage by knowing the factorization of $M$ (over just knowing $M$ itself) in the Blum Blum Shub generator?
The only advantage I see is being able to calculate the $i$-th number directly, as opposed to iterating to it. This doesn't seem like a very large gain to me.
Short answer: knowing $p$ and $q$ allows building a more efficient generator, including one with random access. Further, for an adversary, at least if $p-1$ and $q-1$ can be factored, that allows finding a period, and at least if the generator allows random access past that, building a distinguisher.
With secret seed $x_0$, the Blum Blum Shub generator computes output $f(x_i)$ for $i\ge1$, where $x_i$ is defined by the recurrence $x_{i+1}={x_i}^2\bmod M$, and $f()$ is some function [such as extraction of the low bit, or eXclusive-OR or all bits], and $M=p\cdot q$ with $p$ and $q$ large distinct primes with $p\equiv q\equiv 3\pmod4$.
That implies $x_i={x_0}^{(2^i)}\bmod M$, but direct evaluation of that expression has cost $\mathcal O(i)$, and is equivalent to directly applying the recurrence.
With knowledge of the factorization $M=p\cdot q$, we can compute the output for large $i$ directly and efficiently [in time $\mathcal O(\log(i))$], by computing ${x_0}^{2^i\bmod(p-1)}\bmod p$ and ${x_0}^{2^i\bmod(q-1)}\bmod q$, then using the Chineese Remainder Theorem to combine them into $x_i$. The CRT may also slightly speed up a generator proceeding using the recurrence, as pointed my mikeaso and made quantitative by poncho in comments (computation time can be reduced by up to $1/4$ with textbook multiplication algorithms).
An adversary (with no access to the full internal state of the generator) knowing the factorization of $M=p\cdot q$, and also able to factor $p-1$ and $q-1$, can compute $u=\lambda(p-1)$ and $v=\lambda(q-1)$ where $\lambda()$ is Carmichael's function [or $u=\varphi(p-1)$ and $v=\varphi(q-1)$ where $\varphi()$ is Euler's totient function], then $\operatorname{lcm}(u,v)$ which is a multiple of the period of the BBS generator, because for all $x$, $x^{(2^u)}\equiv x\pmod p$ and $x^{(2^v)}\equiv x\pmod q$. From that it is trivial to build a distinguisher between
The distinguisher works by submitting $i=1$ and $i=\operatorname{lcm}(u,v)+1$, bets on BBS if the answers are equal, and on random oracle otherwise.
When
then I fail to exhibit a distinguisher (but would no be all that surprised if one could be devised).
Finding square roots modulo $M$ is difficult when $M$ is not prime. However, knowing the factors of $M$ lets one take the short cut of finding the roots modulo $p$ and $q$ (fast because they are prime), then using the Chinese Remainder Theorem to combine those to find roots modulo $M$.
I'm not sure how/whether that breaks Blum Blum Shub, though.
