They should have absolutely added a no-store cache directive. It is crazy that they didn’t and instead just checked if browsers cached it or not. To rely on undocumented behavior when there is a specific documented way to do what you want is just bizarre.
Sure, but now look at general HTTP API's and see how many set any kind of Cache header. I wouldn't be surprised if _many_ API's used by (Phone)Apps and a (Web)App do not do so and might leak private data into the cache, maybe even secret keys or one-time tokens like recovery codes.
