The MyQ app sucks, though. Besides the dark pattern ad-forcing they do, I've also had the thing redraw while I was holding the button to open a door. Which meant the wrong door opened entirely - one that happens to be 20 miles from where I was standing. I have had this happen multiple times, it's ridiculous.

Couldn't people do some reverse-engineering to figure out the first-party protocol and impersonate the official app in the API integration?

AFAIK yes, but to quote the article (which quotes the maintainer of the MyQ integration, Lash-L [0]), “We are playing a game of cat and mouse with MyQ and right now it looks like the cat is winning”

[0] https://github.com/Lash-L

Yes, that's what they've done. The problem is that myQ keeps trying to fingerprint the device to check if the requests are coming from a real app before offering service.