The paper covers some interesting points, the main one being that secure application roles can be used to protect access to data or rather privileges by not enabling the roles if an incorrect application is used. The point Howard makes is that unlike VPD this can be done on standard edition installations.
This method also gets around the issue of password protected roles being possibly bypassed. I talked about this some time ago in a short paper.
Howard covers a couple of good examples, the first gets a secure application role up and running and then he modifies it to be a bit more workable by using application contexts and logon triggers to set a token. The point being made is that the implementation can be changed without changing the client application code.