The web apps at "<host>/camunda/app/welcome/default" don't receive a 404 response from the REST API if the password policy is disabled
Hints (optional):
Seeing 404 responses in the regular web app execution should point to exceptional cases
A disabled password policy is the default configuration of the engine and shouldn't lead to 404 responses in the web apps (and probably also not in general)
An empty response for a GET request for password policies might be totally fine
If a 404 response is desired when this is disabled to indicate the request does not make sense in this configuration, an endpoint to determine if it is enabled might be a nice addition and should be called by the web apps first before fetching the policy
L3 - Default 
