In this part introduced in 3742be1

If cache_control is set, then the Expires header will be output too which should rather not happen because

If there is a Cache-Control header with the max-age or s-maxage directive in the response, the Expires header is ignored.
(https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires)

The presence of both may create confusion (for the developers at least)

So if cache-control... else if expires > 0 would do the trick?

Actually that even has a Cache-Control. The whole logic would be:

        // Set Cache-Control header (replaces Expires)
        if ($cache_control) {
           $headers['Cache-Control'] = strtolower($cache_control);
        } elseif ($expires > 0) {
            $headers['Cache-Control'] = 'max-age=' . $expires;
        }

With no Expires header at all, it would just use CacheControl for both scenarios of setting a cache_control string in header or setting an expires time.

Actually reading more, this is not 100% true, only if max-age is set is Expires ignored. Probably safer to just leave it as is. We could create logic to skip it if cache_control doesn't contain max-age, but what's the point? code gets ugly, an extra check, and browsers ignore anyway?

I think it's confusing to output both when we know only one is useful at a time.

You need both and it's hard to detect when only one is needed. I would keep the code as it is.