New default Elytron ApplicationDomain security domain allows anonymous authentication but PicketBox's default security other does not. As it's expected that ApplicationDomain should be equivalent to other security domain this should behave the same.
Customer impact: If customer switches from PicketBox to Elytron default security domain then it brings risk of unintentional permission of anonymous authentication. This would be security hole.
This is ongoing discussion from
JBEAP-9117 where this is discussed for messaging subsystem however this decision affects other subsystems and goes beyond messaging.