The API key thing is a bit of a distraction: it’s used in this article as a hypothetical demonstration of one kind of secret that could be extracted in this way, but it’s only meant to be illustrative of the wider class of attack.