They can just turn off the .json endpoints for unauthenticated requests. Their own clients use a non-public GraphQL API that (supposedly, I haven't checked) uses elaborate fingerprinting to stop outside access. When I said "all apps" I should probably have clarified that it's all 3rd-party apps.