Support Hybrid Search on premise with a SAML authentication mode
Allow ADFS users to search on premise on their Online AND Onpremise content. ADFS is the only way to provide SSO between Online and OnPremise environment but cannot be used because of the ACL mapping in the Cloud SSA when returning results OnPremise.
Matti Loebel commented
As far as we know, the only feasible approach to realize custom security in SharePoint Online is to mirror all custom security principals in an Active Directory. To protect the productive Kerberos Token we would need to set up an additional AD Forrest to sync custom security groups to Azure AD.
This is very annoying because the implementation becomes unnecessarily complex and expensive.