@lemccomb kid is a common COSE header parameter described in Section 3.1 of RFC9052.

The RFC specifies allows it to be placed in either header:

This is not a security-critical field. For this reason, it can be placed in the unprotected-header-parameters bucket.

Applications that make use of transparency services probably want to use the protected header for kid, since the unprotected header is typically stripped by implementations, as per Section 6.3. of the SCITT Architecture Draft:

However, the unprotected header of a Signed Statement MUST be set to an empty map before the Signed Statement can be included in a Statement Sequence.

It is of course possible for the client to re-attach it post-TS, and so this is not strictly speaking necessary, but it is quite convenient and make key usage transparent as well.