Wouldn't there be all sorts of human detection that they could do, similar to how game cheat engines work? A human is going to move the mouse across elements, drag, poke the screen, be slow, etc, and all in fairly predictable ways. Some API calls almost certainly require human interaction, where some interaction graph could be feed as a key to the API. It's cat and mouse, but at some point the mouse is going to get tired.
This is close to how recaptcha v3 works. It can look at the users behavior on the site and classify normal users vs bot users. You have to do some setup to feed your own set of user action data into recaptcha though.
