Introducing Authentication#toBuilder and using it on each filter means that any application using a custom authentication mechanism will have that turned into an internal authentication implementation if their custom implementation doesn't implement toBuilder.
We can improve passivity here by moving toBuilder to a separate interface. In this way, fewer applications will need to implement Authentication#Builder for their custom implementations as part of upgrading.
Note that this does not address custom implementations of Spring Security's concrete authentication classes. These will still need to implement the toBuilder method to preserve their type.