I'd argue that they can also be implemented in a much more lightweight fashion than having to go through a whole OAuth flow just for a mobile app that hits an API that you control completely.
Then you have to deal with password resets and account creation, which if you know how those work, don't really sound all that lightweight compared to OAuth 2.