CSRF routes exclusion

[Obyka]

Hello,
While configuring NADA, I saw that several routes are excluded from the anti-CSRF token generation (see snippet below)
In my understanding, some of these routes like admin/catalog/update could benefit from CSRF protection.
Is there a technical reason why these path are excluded ? If not, what is the most correct and recent way to include the CSRF token in NADA ?

$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'ncsrf';
$config['csrf_cookie_name'] = 'ccsrf';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = FALSE;
$config['csrf_exclude_uris'] = array(
    'auth/.*+',
    'admin/citations/find_duplicates',
    'admin/citations/find_surveys',
    'api/.*+',
    'catalog/.*+',
    'admin/catalog/update',
    'admin/pdf_generator/.*+',
    'admin/survey_alias/.*+',
    'admin/catalog_tags/.*+',
    'admin/catalog/set_featured_study/.*+',
    'admin/catalog/update_doi.*+',
    'admin/catalog_notes.*+'
);