Sling authentication handler vs Login module



I read many blogs and post in Stackoverflow but could not understand exactly which one is appropriate in which situation.
What I understood till now is, custom authentication handler should be written when user needs to redirected to 3rd party system for authentication and then AuthenticationInfo object is sent to the DefaultLogin module.

Now custom login module is used when there is a need to sync user data into AEM from 3rd Party system. During the synchronization process custom login module also authenticate user against 3rd party. But this can also be possible in authentication handler also.

If I look at the out of the box SAML authentication handler then it does not have login module to synchronize user data, rather SAML authentication handler itself synchronize user data. Why there is such difference in implementation? Which one is applicable in which scenario? Does login module gives extra level of security?