I'm not sure anyone is really surprised by this. Apple for example likewise calls out that you are at risk of an attacker using timing attacks to construct an authentication oracle for PAC, which is much more explicit about when exactly authentication checks actually happen.
