One often overlooked advantage of moving away from the "SPA-everything" mindset is the security footprint. Managing state, authentication, and CSRF protection across a decoupled React frontend and a Python backend adds layers of complexity where things can go wrong. By staying within the Python ecosystem for the majority of the logic and using HTMX for the interactivity, you reduce the attack surface and make the implementation of 2FA and secure session management much more straightforward.