As far as I understand, subscribing to EventSub events, in most if not all of the cases, requires an authentication as the channel’s broadcaster. However, most of the events are public and appear openly in the chat.
Taking for example the channel point reward Redemption events :
anyone in the chat can see that a viewer has redeemed a reward
any moderator can act on that reward by confirming it or cancelling it (refunding the channel points in that case)
Yet, the current API system, as I’ve been told from the maintainers of a third-party wrapper module, only allows either of those from the broadcaster account.
Why can’t I create a mod-bot that refunds the redemptions, or that even reacts to them ?
Because what is allowed via third party has different rules to what is allowed first party.
Both legal and functional.
Thats before we touch on the fact that the API only lets you control rewards created by the same client ID. (this stops say cult of the lamb twitch extension screwing with your ClientID created rewards for example)
Additionally: this means that the channel owner has ultimate control of the tools that can access their channel wrt to channel points