Adding authentication so you know who is using your service is reasonable, but not sure why author is complaining about 1.2M requests per day, that is only 14 requests per second on average.
They consider those requests to be "bad actors". It's not necessarily about the volume of traffic, it's that they are compromised VPSes configured to perform unknown malicious activity that takes advantage of a free endpoint in support of unknown malicious intent. See also "Why do bad actors abuse this endpoint?" discussion elsethread: https://news.ycombinator.com/item?id=20480230
The article notes that the VPS providers indicated that those top API traffic consumers were all a specific cron.php on compromised VPSes, so while in theory your statement is true, in reality the issue here was maliciously-compromises VPSes, not VPSes in general.