Preemptive authentication is used in Basic Authentication. The header of the basic authentication is simply btoa(username:password) that results in a base64 string that is easily decoded.
If you would use this authentication profile over http protocol, everybody can read the credentials. So you're probably using https. But even then, you are not sure whether the connection is safe. It might be that the end point is compromised and returns invalid certificates. Then the connection is not established, but the credentials are already sent to the other party.
So, you should never use preemptive authentication and if you have an influence on the end point, make sure they do not require it to work.