@julian Why? because the unauthenticated user should not be able to view federated content, since this may make you susceptible to public cache poisoning attacks, where a third-party could make you publicly display CSAM content, and then it looks like you're displaying it first-party and hosting CSAM to your hosting company, who takes your server down immediately and/or reports to LEO.
We've already seen this attack used to take down fediverse servers.