The long term goal is to disallow exits from non-APF libraries. However, that's a compatibility issue, therefore, AUTH=NO is still supported.
Broadcom strongly recommends NOT to put Endevor exits in a library that's part of the CONLIB DD because it's a data integrity exposure.
There is also a common misunderstanding about APF-authorized libraries. First, an APF-authorized library has to be protected with proper security rules. Second, executing a program out of an authorized library doesn't mean that the program runs with authorization. APF-authorization means that reentrant programs will be loaded in protected storage to make sure that the code path can't be changed. In Endevor, the CALLAPF=YES parameter means that the exit will run authorized only if it was linked with AC(1).
In short, APF-authorization is a protection mechanism that exists to guarantee data and system integrity. It should be used, not avoided.