Why is the default value for PromptUserToAllowBootstrapTokenForAuthentication false?

Per the https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions?changes=latest_minor

SettingsCommand.Command.Settings.MDMOptions.MDMOptions

the PromptUserToAllowBootstrapTokenForAuthentication default value is false.

Can you elaborate why the default value is false? From our testing on macOS 11 it would appear when the value is false, only the primary account is able to logon to the device because only the primary account can decrypt the encrypted volume. Any optional admin accounts that are created are unable to decrypt the value so consequently the optional admin account cannot logon. This seems like a big change in macOS 11 that should be called out.

We also noticed that any local users that were created while logged in as the primary account appear to inherit some permission that allows these local users to decrypt the volume and login.
Why is the default value for PromptUserToAllowBootstrapTokenForAuthentication false?
 
 
Q