This is true, but the abuse would still be possible today if someone is reverse engineering software or talking to servers where everything is over APIs anyway. I'm talking about local interface decoupled with a local API from implementation. The problem today is that programmers can't compose or build software on top of other software they have.
> I'm talking about local interface decoupled with a local API from implementation.
To expose this "local API" usefully, you must either:
1. Share memory with other processes (new attack vector), or
2. Listen on some kind of network or native socket for messages and authn+authz the commands that come through it based on some security protocol (new attack vector).
The value proposition of an API is to allow control and data flow between an application and some external entity. It seems to me that it has security implications by definition.
