in addition to ID'ing to NickServ and Opering, protecting OS access with optional hostmask only makes sense. Some may argue it's pointless since we have such other measures as mentioned. However, some networks don't use OSOpersOnly which removes the is_oper requirement leaving only NS authentication which only takes ANYONE identifying as a privileged user to gain access. With requiring hostmask matching as well, it'll be a bit harder to gain access to OperServ.