A question to #mastodon instance admins.

Is there any real reason to enable "secure mode" (https://docs.joinmastodon.org/admin/config/#authorized_fetch) while still allowing to view (public) posts through the public web interface & Mastodon's own API?

Right now, it seems like an unnecessary hurdle: I still can fetch the post via web interface, I can fetch it via Mastodon's own API, but I can't fetch it with plain ActivityPub.

I'm asking this because when I try to do things like https://iliazeus.github.io/fedimap/, there always are a few instances that do this kind of thing.

(also, a lot of them don't seem to have proper CORS headers on their public API, but that's a whole 'nother story)