I think your counterpoint is a good one — but I would argue that it has
the implicit assumption that such users will and can delegate to authority.
In my own experience this hasn’t been the case — the alternative of the user not understanding
a problem is not going with an authoritative approach, but simply not to think or care
about the problem.
Even when relying on ‘good’ solutions you need the requisite knowledge to
judge what is good — otherwise people, engineer’s included tend to view such
solutions as unnecessary. In your example, an authorization framework will
have a selection of different protocols from OAuth, Basic, LDAP and so on — all
of which are ‘good’. Without understand authorization and authentication
could you really select between them?
In my own experience this hasn’t been the case — the alternative of the user not understanding a problem is not going with an authoritative approach, but simply not to think or care about the problem.
Even when relying on ‘good’ solutions you need the requisite knowledge to judge what is good — otherwise people, engineer’s included tend to view such solutions as unnecessary. In your example, an authorization framework will have a selection of different protocols from OAuth, Basic, LDAP and so on — all of which are ‘good’. Without understand authorization and authentication could you really select between them?