Assuming that's true, why would they publicly expose the back door as an anonymous API endpoint that's used in a standard flow within the product? Incompetence seems much more likely.

I'm not even sure that would constitute a "back door" - it's more of an "additional front door with no lock whatsoever".