This seems like the crux of the issue. MP and the Jakarta Core Profile don't require Servlet, and there are implementations that don't see Servlet as something useful for them. We also have important implementers of Servlet who don't see EE Full Platform or Web Profile as useful for them. But EE has security specs that are tied to servlet.
Well, the question is, are they really tied to Servlet conceptually, or is it more of a belief?
The two SPIs which Jakarta Security uses for integration with a container (Jakarta Authentication and Jakarta Authorization), are those really tied to Servlet? Or do people just assume they are?
Jakarta Security itself has the HttpAuthenticationMechanism, which uses the HttpServletRequest and HttpServletResponse. As I've argued before, it's a truly sad state of affairs that in Jakarta EE (and Microprofile) we've come to have important vendors who don't see the most basic of basic things of the web (the request and the response of an HTTP request) as useful for them.
Kind regards,
Arjan Tijms