IMO, it's plausible that Airoha and the OEMs did not know about this. The tooling may have been written in a pseudo-secure manner, i.e. requiring pairing (on the client side) before attempting all the debugging/firmware update commands. The tools may simply assume that pairing is required or only list targets from those that are paired and connected, which gives the illusion that the air protocol requires this.

All it really takes is some engineer missing an if-statement to check that the connection is bonded before processing the packets.