The renewAuth methods is meant to be non-interactive so making it available at a lower-level library (Auth0.js) which does not impose a UI could be one explanation for the inclusion at Auth0.js and not in Lock.
IIRC, the nonce is not mandatory and you should be able to call that method without providing it; the nonce would be only pertaining to a request so it does not have any relation to previous requests, independently of the way those previous requests were made.
There is a gap in using Lock embedded in client app alongside API Authorization or OIDC compliance; we are working on that.