I haven't read a good justification from them on this but it did seem reasonable to me that if the protocol allows auth to be added on top then it's less critical to be in the spec v1 itself.

It's not no security vs security but not standardized vs standardized.

Agree though that's it's not ideal and there will definitely be non zero harm from that decision.