In legacy stack, the requirement to include user/login policy, on frontend siteaccesses, for anonymous user is rapidly perceivable (if this policy is not granted, the site won't render for anonymous users).
In a SF based solution (for instance: 5.2 with eZ Demo design), this policy might not seem required, because the site will render correctly without. But, the user/login(<frontend-siteaccess>) is mandatory whenever content/download is accessed.

Which other legacy module/functions require this policy?

Would it be relevant to add some reference to this requirement into SiteAccessLimitation?