Customer API update oversights

customerUpdate - Storefront API
The customerUpdate mutation feels half finished. You can update email marketing permissions, but not SMS?
You can’t even update MetaFields without using the Admin API.

Are these intentional security choices (I don’t see how metafields possibly could be)? Or is this just an overtsight that will be fixed?