I don't know the initial reasons but from my experience, Django has a couple of non obvious implicit constraints on the authentication / permission that are fine for websites but some APIs require more flexibility.
To name a few:
- No clear separation of concerns between authentication and permissions.
- It's not supposed to have different authentication schemes across views.
- Permissions are checked out of the context of the request.
- Permissions are linked to a model, not to a representation (the R of ReST).
I'm not sure I get your point here.
DRF is loosely coupled. You are free not to use DRF authentication / permission and fall back on Django's.
That would indeed be nice to start bridging that part with Django.
Unless this is a priority for someone it'll likely remain in its current state.
Xavier.