...
a) Mostly security policies have to be enforced at the time of EVE Provisioning or at the first handshake after a reboot, to setup the execution environment for launching other pillar services. e.g. one may setup disk encryption or unlock the encrypted directories for use by pillar services later on. Thus this can not be tied into regular config processing logic inside zedagent since we need access to these policies at a very early stage, immediately after "client" gets the UUID, and before any of the pillar services are launched. In other words, enforcement of security policies needs to precede launch of any business logic inside pillar.
b) This security polices contain sensitive information like encryption keys, which is best handled only in memory, and not stored on the persistent storage like other config items. Having a separate API endpoint helps handling of security policies be modular and more maintainable, without disturbing how config related to other pillar services are handled.
...