It is a matter of focus - using a proxy to provide authentication and authorisation services for a microservice like Node-RED is a sensible option. Such features have been developed over a long time and often by teams with specific security experience.
Node-RED, on the other hand is a general purpose, low-code development platform. Is it reasonable that it is "best" at everything? I think not.
Do you have access to security specialists? Or time/money to get fully security testing done? No, and no reason why you should. This is not a criticism of Node-RED, the security features of Node-RED provide a perfectly serviceable feature set for basic use. However, it is not a comprehensive security solution.
So my comments are not meant to detract from what Node-RED does and does very well. They are meant to help take people with requirements that go beyond what Node-RED is currently good at find a sensible, secure and workable solution.
Security is a specialist area. It is very hard to get right and very easy to break. Personally, I would much rather that all who are involved with the development of Node-RED focus on the important things that should be core and leave things that require specialist knowledge and specialist testing to services that are better placed to do just that. Because of this, security also needs to be multi-layered so even if Node-RED provides some built-in security, that may not mean that other services are not also required.
This is by no means unique to Node-RED so I'll reiterate that this is not a criticism of Node-RED or its development priorities. I have the same recommendations for many other services both in my professional and non-professional work.
PS: for others reading this who don't know me, yes, part of my professional work is around IT security and governance.