I don’t use LTI, but reading some docs, it appears that JWKs are required on Tools for only a subset of actions, e.g. sending messages to LTI or deep linking or requesting access tokens. LTIAuthenticator doesn’t do any of those things, it only accepts and verifies launch requests, so the only message direction is LMS->JupyterHub, not LTIAuthenticator->LMS, which would require JWKs on the LTIAuthenticator.
If some providers require JWKs to be set up even if unused, that could be added to LTIAuthenticator without too much difficulty (a new Handler would be added for the JWKs endpoint, it could generate any random key pair on startup).