Put simply, if there's a use-case for not overwriting the keychain, it's far outnumbered by the use-cases where the job should overwrite the keychain. Not overwriting the keychain with the new one effectively stops the job from getting any certificate updates, which causes more problems than it solves.

If there really is a need for this feature, it should be marked with a warning that this behavior is not the norm.

Deleting the keychain after build creates unexpected behavior because of a defect in xcode-plugin. Hard to explain, but it has to do with how xcodeplugin keeps track of which keychain is the current keychain.