When selfhosting stuff, it’s just incredibly difficult to properly set this up while maintaining compatibility with http for other stuff. Usually you’ll have one reverse proxy (eg. nginx) handling http/https encryption and forwarding to a socket (or in case of docker, one of a dozen open ports on one of a hundred interfaces, fuck you docker), over http. The APIs themselves almost never have direct https support, and even if I wanted to manage them directly, certbot only supports reverse proxies directly. So you need to differentiate between api and non-api in the reverse proxy.
Why can a Word or Excel file execute shell code? Why does M$ SQL Server have xp_cmdshell?
Because devs chose to live in this part of the world, dictated by M$ and other large companies, who just don’t care.