Auth details are effectively ephemeral, as one has to dynamically get new auth credentials every time they are needed. This does not play well with many cluster schedulers' expectations because mainstream Docker registries don't work this way.
Perfect example of lazy developers by pushing state to clients so implementation of backend in easier and more scalable
Now the complexity is in the client, making ECR an inferior product because it's really painful to use
Various band-aids like awslabs/amazon-ecr-credential-helper were created to address this. Now that band-aid repo has issues like "we need this for other architectures like ARM" as well..