From my VERY brief understanding: this is like if you want the hole-punching of a VPN, but your stuff is public, so not only do you not want all the security of a VPN, but it works against you. But I'm happy to be corrected!

You don't have to have it public. You can have your app gate against any auth method you like to implement on top. And you can have private relays to segregate your traffic and discovery depending on setup.