The use-case is EXTERNAL + role derived from mgmt-groups.properties. To achieve this use-case a realm aggregate is needed. Each aggregated realm can't be configured with its own principal-transformer. So each realm is impacted by the transformer set on the aggregation.
Allowing to configure each realm separately would offer the flexibility to isolate principal transformation for authorisation and not impact authentication.

Authentication impact is quite important, an alias in the trust-store and the decoded principal must match exactly. Something that shouldn't be made mandatory in this case.