I have about 2 YoE, and I'm sure this changes with more experience.
I often hear this idea online that programmers should follow "just-in-time" learning, meaning you should prefer to learn things you don't know while on the job. ( The way some people talk about it, though, it sounds like you shouldn't dare spend a single minute learning anything new outside of your 9-5. )
This seems generally reasonable advice, especially for simpler things that take a few hours like learning a specific language feature, library, or similar. But when I lean too much on this JIT learning, it feels possibly detrimental.
Many times I do something big and new to me, say, deciding how to approach auth, microservice architecture design, automated testing, containerization, etc., I end up making a big decision after a few hours or days of cursory reading on documentation and blogs, only to come to regret it some months later. At that point, maybe I'll slow down, find a book on the subject, read it, and think, "Oh, darn, I wish I knew that N months ago." It certainly feels like spending more time learning upfront could have avoided mistakes due to lack of knowledge. Though there's no way to go back in time and know for sure.
I'm not asking about any area listed in particular. I feel like, for all of those, I've learned more in the time since, and would probably avoid some of my prior mistakes if I did it again. The question is more: How much do you subscribe to this idea of just-in-time learning? And if you do, how do you know when you've learned enough to be confident, or when you need to slow down and learn in more depth?
Sure — security is one area where you do need to be a specialist.
I'd say it's the exception that proves the rule though. Don't write your own encryption algorithms, don't invent new auth flows, do hire third parties to audit and test your security systems, etc etc. If you want to specialise in something like security, then yeah that's something you should study. But at the same time - every programmer should have general knowledge in that area. Enough to know when it's OK to write your own security code and when you need to be outsourcing it.