So, the bottom line is that if your solution requires an authentication server (AS), you’re compromised. I reached a similar conclusion with OAuth2.0
The cynical side of me is that mainstream industry is perfectly happy with MLS because when an authority leans on them to comply with chat control, etc., they can do it.