Sure, but you are forgetting about compliance and adopting the same standards org wise across thousands of projects spanning hundreds of teams and jurisdictions, and separate industry standards across. Thats what adopting something like Auth0 is for.