I think it is correct from a Security Standpoint to have a different end point for WebService Calls and regular HTTP requests. From the Secure Proxy Perspective, it is primarily a proxy. Hence the default VHs would serve only proxy functions. Combining the WS Calls in the same VH would create a lot of interference and possible performance issues within the single VH.
From a functional standpoint, As long as different VHs share the same cookie domain, SMSession is passed to different VHs. Hence I think this is more cleaner and segregated role functions for each VH. Infact you’d see customers want clear segregation of traffic. Check the new SPS ERs that have been raised.
I do agree from a deployment & operational maintenance perspective this is tad difficult, however the wider benefit of segregation of traffic does weigh-in heavily. Hence the design of running AuthAzWS on a VH of its own.
Regards
Hubert