I don't think it means what you're suggesting, but maybe I'm misunderstanding you. The previous paragraph in the RFC says:
> Applications using this specification can impose additional requirements upon implementations that they use. For instance, one application might require support for encrypted JWTs and Nested JWTs, while another might require support for signing JWTs with the Elliptic Curve Digital Signature Algorithm (ECDSA) using the P-256 curve and the SHA-256 hash algorithm ("ES256").
In the next paragraph it says:
> Of the signature and MAC algorithms specified in JSON Web Algorithms [JWA], only HMAC SHA-256 ("HS256") and "none" MUST be implemented by conforming JWT implementations.
They're making the distinction here between JWT implementations (i.e. libraries) and applications that use JWT. Nothing mandates that applications must accept the "none" method. The earlier paragraph gives specific usage examples in which a small subset of options are allowed by the application. That is the intended use.
In this later paragraph they're just establishing a baseline of encryption support in libraries; i.e., what is the minimal set of choices that a library can offer to an application. Applications are still expected to actually choose.
