Currently there is only one DEFAULT_APP entry that is applied to every request, including non-authenticated.
When a plugin needs to declare public services, i.e. services accessible by non-authenticated users, the plugin needs to update the DEFAULT_APP entry and add the services. This will happen probably during plugin initialization when plugin recognizes the services are missing in DEFAULT_APP policy.
Portal administrator may later change DEFAULT_APP and remove some of the newly declared public services, which can cause conflict and unknown behavior during plugin initialization.
Goal of this story is to allow to define multiple "default" policies so that each plugin can declare own "default" policy. This policy can be than changed or disabled by portal administrator, consequently plugin can still verify the policy exist and there is no need to redefine / update it.