Jobe uses the RESTserver plugin for the CodeIgniter framework. CodeIgniter is a simple general-purpose web application framework and the config file you're reading belongs to that. The advice in that file relates to web sites but is not relevant to Jobe, as Jobe is not a website. It'not really even a web service, as it's used only by a single Moodle server on a private communication channel.
Session tokens relate to the communication between a web browser and a web site. But you're not using a web browser to talk to Jobe - it's a satellite service for Moodle. No browser, no website, no session tokens, therefore no CSRF attack potential.
Sure, the user talks to Moodle using a web browser, but Moodle is the gatekeeper here. Once the request has been authenticated by the Moodle frontend, the various functions, processes and services within Moodle should just proceed to do what they're told. Although it doesn't actually happen at present, it would be entirely reasonable for a regular system maintenance task, unrelated to any particular user, let alone any particular browser, to call upon the services of jobe.