First of all, a public app should never be asking for an email unless a user explicitly clicked on the sign in button in the menu.
Second, it is normal behavior for any sign in, whether it’s the sign in button on a public app or a sign in on an app that’s set to public with email or whitelist, to require a pin. It has always been this way and the pin is there to ensure that there is no unauthorized use of someone else’s email. I wouldn’t want someone to sign into an app using my email without my knowledge. I’m not sure how you were doing this without being prompted for a pin.
If anything, it may have been a bug to allow you to do that…and a big security bug in my opinion. Maybe it was patched recently.