It’s for later. When you have policy-based IPSec tunnel, it’s usually between local subnet and remote subnet. Router sees packets from local subnet leaving via WAN interface. If you have unconditional srcnat/masquerade on WAN, everything will have its source changed to router’s WAN address. And it will break the tunnel, because packets will no longer match the policy. This extra option automatically exludes all tunnelled traffic from NAT.