When you make calls to ArcGIS Online (and ArcGIS Server) you have to pass a token as a URL argument. The problem with that is that tokens are large. That is a problem because there is a magic size past which HTTP GET operations have to be converted to HTTP POST in order to avoid size limitations.
The thing that is interesting here is the ability to put the token in the authorization header. I am thinking that if ArcGIS * supported this then it would be more efficient because HTTP GET operations can be cached, i.e. more performant.
