There's no meaningful difference between "private" and "documented, but changing every patch release" from userspace POV, yet not committing to documentation saves development effort for the same result, hence "private" APIs. If anything, private apis let "system" apps run at userspace, reducing attack surface dramatically.
wtf am I reading? No no no. Undocumented apis callable from user space, that can break the OS, is a security flaw (in the OS). It’s why people laugh at windows.