The idea is to only distribute the root of the tree to a client, query the server for the username you want to look up, which then returns the key and a short proof that this username maps to that key within the hash tree identified by the known root.
How is that substantially better than an API that returns a user’s key?
If the service provider (ie. the X.com servers) are evil, then the API can return false data and the client has no way to know.
However, with a merkle tree, the root hash is embedded into the app, and the servers return the data together with info chaining to the merkle root (typically a few kilobytes, even if the whole tree is hundreds of gigabytes).
With that info, the app can verify the chain to the root and be sure that the servers aren't returning false data.
To clarify the above. It protects against endpoint compromise but depends on the assumption that the service operator (the one computing the root hash) is trustworthy. In other words it significantly reduces attack surface.