The primary reason for this is my damn 1password extension, which I assume sees that my node-red instance is one big very complicated login page, since the base URL (excluding the hash) never changes. 1Password X (beta) is really the issue. The old extension had the ability to exclude sites. And I guess I could forget the admin password in 1Password, but I like to have it available on all my devices since I like long super complicated passwords, which is just what everyone should be doing.
So this seems minor and fixable on my (the user's) side, but I've read that separating web apps from the login page is best practice from a security standpoint. Also, what if the node-red password is accidentally form filled where it could be leaked out of the app through a flow?
This doesn't seem that complicated of a feature to add, but it should be optional since it could break a lot of stuff. I can try to submit a PR if anyone is interested.