I wonder how much blame can be attributed to poor code examples
Cannot comment on the twitter APIs as never played with them (..obviously..)
But often when looking at code samples provided for demonstrating API use, the samples are usually focused on easy to read, quick to get up and running and try out and so often the very opposite of good security practice.
.. Consider that awareness of secure coding varies a lot across devs, and the often high pressure imposed by managers to churn code out as fast as possible I wouldn't be surprised if lots of "live" code incorporates some of the bad code patterns used in the example.
e.g. most Google maps API examples have the "key" just as part of the HTML page.
If I go to
https://developers.google.com/maps/documentation/javascript/examples/map-simple
and then click on the stackblitz link
https://stackblitz.com/github/googlemaps/js-samples/tree/sample-map-simple?file=README.md
In the index.html of that code sample I find this
<script
src="https://maps.googleapis.com/maps/api/js?key=AIzaSyB41DRUbKWJHPxaFjMAwdrzWzbVKartNGg&callback=initMap&v=weekly"
defer
></script>
i.e. sample having key plainly visible in HTML.
API providers really ought to be coerced into providing best security practice examples - may be more difficult / slower for users to get up and running but would mean better security practices likely to be used.