Model extraction & stealing: with query access alone, an attacker can clone my behavior — and even solve for some of my parameters
In one sentence a stolen / cloned model can be attacked offline, repeatedly (membership inference, extraction), amplifying one-time API access into a persistent privacy risk. Conclusion: API access ≠ zero leakage — threat-model "the queries themselves can be used to extract model information."