The only problem is when it's the _only_ security for certain types of threat models that require defence in depth - such as credentials in authentication.