Why are Session HTTP Only and Same Site overwritten in EnsureFrontendRequestsAreStateful?

Hi, I just realized that the configureSecureCookieSessions method of the EnsureFrontendRequestsAreStateful middleware always overwrites session.http_only and session.same_site, both for frontend and non-frontend requests. But they are not overwritten for requests to web routes, only API routes. Is there a reason behind this?