Thanks to point this out. And it’s something we will do.
As a huge distributed company, our strategy is to encourage (and if possible compel) this practice. But each feature team is accountable of this.
However, to expose their endpoints - as they are webhook handlers for a SaaS service - they must use the company’s gateway. Here we’re able to manage global security rules like force at least one of the whitelisted identification/authentication mechanism.
But no signature verification to avoid CPU-bound limits on the Gateway, to avoid secret sharing problems, and so on.
Hope it helps you to better understand our concerns. And not only ours as I found other posts about this.