In spite of the description provided for the flag PILOT_ENABLE_GATEWAY_CONTROLLER_MODE (associated with the spec.techPreview.gatewayAPI.controllerMode config), where one can read:

If enabled, istiod will watch Gateway API and k8s resources in every namespace, but Istio resources will be limited to namespaces that match the meshConfig.discoverySelectors

some specific Istio resources may still be expected to continue to work (cluster-wide) on those deployment with Gateway Controller Mode enabled.

This is notably the case of Istio AuthorizationPolicy, which complies with Gateway API Policy Attachment specification, but also other Istio extension APIs, including (though possibly not limited to) WasmPlugin, EnvoyFilter, ServiceEntry.

One of the use cases affected by this behaviour is Kuadrant (upstream for Red Hat Connectivity Link), which currently cannot anticipate all gateway namespace matchers to otherwise include in the discoverySelectors setting before creating the Istio custom resources Kuadrant depends on to implement its Gateway API-compatible policy APIs. As of today, AuthorizationPolicy, WasmPlugin and EnvoyFilter custom resources are created by Kuadrant as part of implementing its AuthPolicy and RateLimitPolicy APIs.