Jumping in here...SubjectConfirmationData is NOT optional for SSO, at least according to the SAML2 Profiles specification. I must be missing something.

Well, according to the SAML2 SSO Profiles you are right, it is not optional.
But according to this documentation (https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) it clearly is.
I will fix it asap.

FWIW, I believe the Profiles specification takes precedence here.

This has been changed specifically to be this way. See the discussion in #530 and commit message 980b34c. As Tom says SimpleSAMLphp is about the SSO profile.

Is there something not working for you that you want to change this?

Actually I tried to get module-attributeaggregator working with encrypted assertions by using this function to decrypt and validate the response received after querying the attribute authority.
The response only contains one assertion with an empty <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" /> which should be fine according to the specs, but breaks due to this restriction.