Yeah, I would argue it's less about removing trust from the client (which will ultimately get an auth token in addition to secrets and plaintext messages) and more about allowing for centralized authentication and authorization policies.