Aside from all the small added complexities of swapping between local http polling vs mqtt pub/sub for both apps and devices, the big complexity is managing authorization. Think about how simple the device firmware gets to be if the only access pattern is a single secured mqtt channel for processing commands. Anything coming down that pipe comes from a cloud provider that has already negotiated who can and can't send those commands. When you open up local access the device itself now needs more code to manage authorization and all the attack surfaces that come along with that.