New features are often tested in staging. This can lead to behaviour that is enabled in staging, but disabled in production. Sometimes features get stuck in staging and never* really make it to production.
*Never say never, eventually those may get enabled in production.
Current examples (not necessarily complete):
POST-as-GET is mandated in staging, but not in production
RFC 8657 (CAA extensions) are supported in staging, but not in production