The APIs in question are client-side iOS and Android APIs. Most of these apps are just WebViews wrapped in spyware, which is the point. It doesn't matter that most of the content is static or already uses browser-native APIs for functionality like forms, gating access to this information behind a surveilance device is the point.