Allowing third-party apps also allows those apps to scrape and store user info, which is what Cambridge Analytica did.
Accessing an API is not scraping. Scraping is still possible without an API. All CA did was access public information. The problem in that case is not access to public information, it is intentional paid disinformation.