96 mentions that Decrypt needs to return the encryption context (either the EC from the message or what the CMM returns) so that callers can check that all expected key-value pairs match. It would be simpler for callers to provide the expected sub-EC and have the decrypt operation check itself - the logic is not complicated, but there's no good reason to make the caller perform this check, and it introduces the risk that callers will neglect to do it.
Making this required input would be a breaking change, so implementations will likely want to introduce a new overload of the Encrypt operation and deprecate the current one.
96 mentions that Decrypt needs to return the encryption context (either the EC from the message or what the CMM returns) so that callers can check that all expected key-value pairs match. It would be simpler for callers to provide the expected sub-EC and have the decrypt operation check itself - the logic is not complicated, but there's no good reason to make the caller perform this check, and it introduces the risk that callers will neglect to do it.
Making this required input would be a breaking change, so implementations will likely want to introduce a new overload of the Encrypt operation and deprecate the current one.