[opheliate]

AES-CBC with a random IV and solid HMAC should be fine, but the point is that, for a non-cryptographer, putting together an authenticated encryption construction yourself has potential footguns. Using a pre-made authenticated encryption construction like AES-GCM or Salsa20-Poly1305 avoids this.

Any platform with hardware acceleration for AES should hopefully have a carryless multiplication instruction anyway, so GCM will be fast. And if not, Poly1305 is so fast that another HMAC construction will perform worse. So there’s really no reason not to just use one of these two in 99% of cases.

[_8j50]

I agree that when you have a choice it should be done as you said. I am not even a developer and I've been in situations where aes-gcm or poly1305 (or ed25519 and other popular curves) were availabe. Sometimes it is b.s. internal politics, other times it is third parties that can "only" use a certain set of tools or dependencies and it is either come up with something custom or lose the deal/contract.