A few reasons that all connect to each other. The biggest, most foundational one is that spammers are highly sophisticated criminal organizations, and will constantly be trying to figure out how to leverage your product for spam.
If they are successful, it is extremely costly for you (primarily in terms of IP reputation, which is very difficult to maintain) and cheap for them.
If they are unsuccessful, well, they'll keep trying and stopping them continues to be costly for you and they only need to get lucky once every so often for it to be worthwhile for them to continue.
Exacerbating all this, it's extremely commoditized, so even fairly large customers aren't going to make you that much money, especially given all the hassles of maintaining it.
I sort of disagree that it's commoditised, since the most popular email API would have the moat of being included in every spam filter whitelist. By choosing Sendgrid, paying them for the service and getting their IP ranges you guarantee that you get the greatest chance of getting your email delivered. That commands a premium.
Yeah you can go for Amazon SES or Mailgun or something, but they are used to spam too, Amazon SES to an even greater extent.
You are also guaranteed to get whatever the latest email innovation of email delivery they come up with as one of the early adopters. If they decide to deprecate SMTP and build something more secure, private, easier to authenticate and identify, you get that for "free" without having to change your code.
I see Sendgrid as a relationship maintainer between developer and Gmail/Outlook/Yahoo/long tail of other email providers. You pay them and they make sure your emails show up in those inboxes.
Sendgrid has issues with hacked accounts, which is probably their biggest struggle right now, but even then they have things like reputation. A hacked account would very quickly dip their reputation and be excluded from delivery anyway, without affecting the platform at large. They push 2FA tho, and I think some sort of automatic api key rotation system would be a nice remedy too.
Ultimately, Sendgrid maintains risk on per-account basis. Email providers understand that too, even though SMTP as a protocol and spam filters don't necessarily reflect that. Sendgrid as a platform is never under threat, individual Sendgrid accounts are.