The issue is that to setup push notifications for an app you link your apps bundle id/package name with the Apple/Google developer account that you publish with. For the Zulip app that will be the developer account owned by Zulip. Your app is then signed with credentials linked to that account as well.
When you want to send a push notification to the app you use an API key from that developer account. This lets Apple/Google know which app to send it to and confirms you have the permission to do it.
If Zulip wanted to allow a self-hosted notifications server to send notifications directly to Apple/Google and into the app they publish on the app stores then they would need to give out the API key from their developer account to everyone.
You wouldn't be able to do much without the matching device push token (a unique token per device which lets Apple/Google know which device you want to send a message to) but anyone could use that API token to attempt to spam messages which is a quick way to get your developer account banned, or at the very least have your access to the push API severly limited.
I'm sorry, why would they do that? Instead of building their own API key infrastructure and proxy the requests to the respective notification services? For an example, please see Mattermost's on-prem notification implementation.
When you want to send a push notification to the app you use an API key from that developer account. This lets Apple/Google know which app to send it to and confirms you have the permission to do it.
If Zulip wanted to allow a self-hosted notifications server to send notifications directly to Apple/Google and into the app they publish on the app stores then they would need to give out the API key from their developer account to everyone.
You wouldn't be able to do much without the matching device push token (a unique token per device which lets Apple/Google know which device you want to send a message to) but anyone could use that API token to attempt to spam messages which is a quick way to get your developer account banned, or at the very least have your access to the push API severly limited.