Sshd has an option AuthorizedKeysFile, which could override default authorized_keys path from ~/.ssh/authorized_keys to something else, for example "/etc/ssh/authorized_keys/%u".
This configuration allows to have user keys in immutable maner, when only system administrator could add and remove new authorized keys to system. Keys placed in /etc/ssh/authorized_keys/%u just need to have read permission for user to login.
Puppet now have hardcoded permission in ssh_authorized_key:
This settings made "target" attribute (The absolute filename in which to store the SSH key) completely unusable. More over after commit b29b1785d543a3cea961fffa9b3c15f14ab7cce0 which fixed CVE-2011-3870 directory in target attribute must be writable by key owner. So now it is no matter where to store authorized_keys with puppet - user will always have write permission to change it.
An ability to disallow authorized_keys in user home dirs is mandatory, for example when TrustedUserCAKeys configured and used with sshd, because user could just put his authorized_key and bypass expiration of his signed certificate.
According to commit history
https://github.com/puppetlabs/puppet/commits/master/lib/puppet/provider/ssh_authorized_key/parsed.rb few years ago there were check for keys mode in case of "targed" attribute use, but sadly it was removed in recent versions.