Moved to correct forum - this was in an update to node-steam-session, not node-steam-user.
As far as I've seen, this parameter is present for any GET request issued by the mobile app to the WebAPI. Confirmations don't go through the API so it's not present for those requests.
In practice, the only request that origin=SteamMobile is added to in steam-session is the initial GetPasswordRSAPublicKey request as that's the only GET request issued when using EAuthTokenPlatformType.MobileApp.