FW at the branch office in SD-WAN solution?

What is the use case of having a physical FTD or PAN FW at the branch office in SD-WAN solution? Doesn’t Cisco SDWAN solution have fully integrated FW in in cEDGE? If yes, then why people deploy FW at the branch office? Why then people send internet traffic to Cisco Umbrella or zScalar if you have a on-prem FW? If you don’t put a on-prem FW than who then protects the branch to branch traffic as it doesn’t go through Cisco Umbrella or zScalar?

In a design and implementation I worked on, we put Palo Alto Firewalls behind the Cisco ISR routers (SDWAN Spokes) to protect each branch sites. This was done for a number of reasons. 1. The security features at the time (2 years ago) was pretty poor from Cisco. 2. Customer wanted features on the Palo Alto Firewall that Cisco/Zscaler does not support. 3. The customer is a Palo Alto user, all of there support know the equipment/vendor and they wanted to keep it.