So you are happy with the same class that is used to represent the row in the database including potentially sensitive data also being used in responses to API calls?
For rapid development, potentially yes, as is easy enough to slap [XmlIgnore] and [JsonIgnore] on properties you don't want serialised in responses.
I actually agree with you that an API response ought to be a different class, but you probably also want to consider it more carefully than using automation to generate the mapping.
It can be useful to distinguish between domain objects and objects that you use at the edge of your service, like on the API. They might have different annotations or you might want to evolve them differently, e.g. your domain objects might change while you want to keep your API the same so as not to break your consumers. Things like that.