If an API is undocumented, how can you know that it doesn't exist? It might very well exist for internal debugging purposes, just not at the URL you might expect. Or maybe it's at the expected URL but returns 404 to everyone whose access token isn't flagged as an employee in the appropriate department.
As someone who relies very heavily on logs to debug issues in immature and/or fast-moving products, I would be surprised if they didn't log everything. It's sysadmin 101.
In the modern era, you should expect that the privacy policy contains the details of everything that's logged. You need to know that so you can tell your customers what is logged by your subs.
What a naive / handwavey response. It's clearly not a case of "oh, we never finished up cleaning up the API for use in production" - it's a case of "here's a secret backdoor that we're only going to share with a privileged handful of powerful corporations"
As someone who relies very heavily on logs to debug issues in immature and/or fast-moving products, I would be surprised if they didn't log everything. It's sysadmin 101.