Not for the operators, I expect. If they flip a couple bits in the webserver I think they can lock the API down to require a device attestation, which would inhibit much of the API’s attack surface from being exploitable without a physical device that can afford to be console-banned (but I haven’t done my research to prove that yet, so grain of feasibility salt). Certainly in this day and age there is no desire to be “search engine optimized” by anyone using a social network for IRL friends, so they lose nothing by lacking a website. And there’s lots of small but nice services that are or have been iOS only (and a couple big ones that collapsed once they opened to other platforms). They’re explicitly selecting against the network effect already in favor of a nice experience, so it’s not like it matters if it grows more slowly. Are there drawbacks you see besides “requires an iOS device” that I haven’t considered?