The functionality provided by such an API could be limited to disabling the account until the password is manually reset given that the client provides a valid email and password. The blast radius for that would be pretty small.

I don't use 90% of the entries in my password manager on a monthly basis so anything that allows me to delay the password change on hundreds of accounts until I need to use the account again would be valuable.

Obscurity is security, as the saying goes.

Isn’t the saying, “security through obscurity is no security at all”?

I believe the person you replied to was being sarcastic.