This is the point. We try to lower the requirements on NS side as much as possible to ease the integration with existing Active Directory environments, where doing any kind of security policy change is an issue! That means, no custom ACLs for anonymous binds, and no SSL certificates installation to protect clear text protocols.
In this scenario, on the ns6 Postfix side, the GSSAPI auth-binds seemed the only possible way. It leaded to other kind of issues, for instance the Kerberos tickets renewal, that is somewhat complex to deal with.
However on ns7 we have our hands free to design a new solution for those who want to read email addresses from AD.
Anonymous bind could be an interesting option for those who can adopt it, but cannot be the default. Just to have an idea, do you have any pointer to a good guide for the windows administrator that explains how to configure the AD side for anonymous binds?