I take it as a sign of the current state of hackernews that nearly no one took the time to actually RTFA. This isnt about making apps that run on the car, this is about being able to integrate your external apps with the fleet API. Like, can external app that has permission would be able to locate the vehicle.
That said, I think the security implications are fairly important, since I expect one of the exposed features is to be able to unlock or start the car.
Almost all of this functionality has been available for many years through the reverse engineered API used by the official Tesla app. There is unofficial third party documentation and many third party apps using it are available.
The difference here is that Tesla is creating a new, officially supported API explicitly for third parties, with official documentation, scoped authentication, and a developer program that requires registration (and in the future, payment). Presumably once the SDK is finalized they will start cracking down on apps using the older reverse engineered API.
The only new functionality AFAIK is a push API that allows cars to directly stream information to your server via their cellular connection; previously the information was available but required polling through Tesla's intermediary servers.
I've been doing that for a while with my own car because their API (like other OEM's) is just an OAuth2 REST API with unofficial documentation. So I think this is more "Tesla is launching their developer API documentation and officially letting people develop against it".
Fwiw Tesla's has been the best to work with in my limited experience. Ford's is also decent but the most important remote commands (like start/stop charging) seem to be hidden behind obfuscated endpoints. I spent quite some days trying to reverse engineer them but ultimately gave up.
That said, I think the security implications are fairly important, since I expect one of the exposed features is to be able to unlock or start the car.