Thank you for explaining Nigel.

On the down side, it seems a unnecessary burden for applications. And application layers are easier to hack (supply chain attacks). It seems to me that they might have stuffed it into the app layer because that was easier, but that it really belongs in an improved and more secure (TLS-enabled) network layer. What are your thoughts?