Ref T13098. Historically, we've seen some issues (particularly with Mercurial) where naming a branch something like --execute-remote-website=evil.com would evaluate even with "--" in the argument list (see T13012).
We're broadly better about this, but still need to parse arguments in multiple phases, and callers/users aren't always careful about using -- to terminate argument lists.
To reduce the danger of flags like --config, --load-library, etc., allow argument parsing to require that they appear before workflow arguments, so arc --config xyz diff is valid, but arc diff --config xyz is not. This reduces the chance that some user script somewhere which does arc diff %s instead of arc diff -- %s will ever be able to do anything truly dangerous.