Thanks for your thoughtful response. I think this confirms my notion that this is a reasonable approach for authentication to replace BASIC username/password authentication, similar to certificate sharing. Once we move to SSO and OAuth2/OIDC, we may change the way these JWT are generated so they come from a server.
Currently any user of our system is able to use their credentials to call our web services, so this does not represent a loosening or expansion of control. We won’t pay much attention to the claims (since we don’t have control), other than requiring the use of standard values.