Uh, it's called "code cleanup" or "refactoring", not "security improvements." I don't know anything about you, but for myself, as a programmer, doing these sorts of passes over an "API", especially one that just kind of "evolved" instead of being designed, is kind of normal. I don't know why you're seemingly demanding that the changes be strictly related to security improvements. Making getters and setters go through function calls make mocking easier so you can build tests against it and do things like put mutexes in to help with threading. What I'm saying is that this is all normal. Not a conspiracy.