If you set encryption for client connections optional, that’s not too secure: clients may send their password in plaintext over the Internet.
If you require encryption, that may be not practical if you want to connect to Openfire from within your protected environment (e.g. from localhost). For example I haven’t found an PHP XMPP library yet, which would have reliably working TLS support. Also creating a secure connection frequently to openfire (e.g. from a web server acting as XMPP client) is an unnecessary waste of processing power.
Currently the workaround for this use case is to set encryption optional, does not allow port 5222 access from outside the firewall, and force clients to use the old SSL method (port 5223), which “will be deprecated in the future” according to the “Server Settings” page.