If the service provider (ie. the X.com servers) are evil, then the API can return false data and the client has no way to know.
However, with a merkle tree, the root hash is embedded into the app, and the servers return the data together with info chaining to the merkle root (typically a few kilobytes, even if the whole tree is hundreds of gigabytes).
With that info, the app can verify the chain to the root and be sure that the servers aren't returning false data.
To clarify the above. It protects against endpoint compromise but depends on the assumption that the service operator (the one computing the root hash) is trustworthy. In other words it significantly reduces attack surface.