It looks that there is a number of scenarios (in modern web and mobile applications) when GeoWebCache may fail with its job...

Let's consider the case:

GeoServer (and embedded GeoWebCache) have security configuration using mechanism based on HTTP header and "Authorization: Bearer...". So , client application provides a JWT token in HTTP header. Security mechanism (whether configured through JWT header plugin of GeoServer of by custom supplied module to GeoServer) checks and validates JWT token. For WMTS and WMS APIs (they both have to be exposed to client applications with security based on JWT).

If it's WMTS service request, it comes to GeoServer and passes security layers because it has "Authorization: Bearer.." header. Then request is forwarded to GeoWebCache. GWC does not find a tile in cache and makes a request to WMS service of GeoServer (internal HTTP request). All headers are not forwarded, simply stripped. So GeoServer will reject request because of security mechanism requires a JWT which is not included by GWC from original request..

And it seems there is no option to tell to GeoServer: please, ignore security for all requests from localhost, or something like that,

Securing WMTS and WMS by HTTP headers completly breaks normal behavior of GeoServer + GWC.

Any thoughts? Do I understand things right?
Options to workaround? Does it require a development effort to propagate HTTP headers , to allow some requests bypass security (localhost?), something else?