authmeth-09 says:
3.3.5. Rules for using SASL security layers
Because SASL mechanisms provide critical security functions, clients and servers should allow the user to specify what mechanisms are acceptable and allow only those mechanisms to be used.
By itself, I think this is bad advice, because most users know very little about security. I suppose many clients will have to ask their users, but preferably they should also explain the implications of what they allow the user to select.
Ciao, Michael.