The problem in this case is that there are workarounds allowing you to impersonate a DC. For example, someone could sniff your DNS requests and use ARP poisoning to redirect your requests for GPO files or login scripts to its own servers, and Windows would automatically downgrade its SMB security to connect to this fake DC. This could easily be done to a computer connecting in a remote network, even if its corporate trafic is in a VPN. Read up on this article from the guys who found the vulnerabiltiy:
One issue which Microsoft also did not mention is how AD-joined Windows systems by default leak a lot of info, and will send out DNS requests for domain resources from ANYWHERE. It doesn't matter that the servers aren't available from the Starbucks WiFi, Windows will still do DNS requests for "domain.local" and try to run "\\domain.local\NETLOGON\logon.bat".