I don’t think ‘built with the assumption that authentication and authorisation is not a thing’ is the best description. Requests from logged in users would already need to be authenticated to see private accounts they follow. It’s more just the client having aggressive retry logic in the case of whatever rate limit responses they’re getting.
