This is a different type of network vulnerability than the traditional three (xss, csrf, and man in the middle) that arises due to the nature of SPAs. Previous paradigms did not have this problem because they could authenticate every request using traiditional methods and prevent the user from going somewhere they shouldn't. Even if one were to have a solution for this (in light of the malicious browser), we would still still authenticate backend endpoints to prevent data from leaking. So is this extra step absolutely necessary? No. But it keeps the request times very low and adds an additional level of security which is never a bad thing.