As an example in simple terms, If I wanted to launch a DDOS attack on Coinbase, I could maybe take down a proxy server that handles the authentication, but I would never reach the matching engine. Proxy servers are much faster/cheaper to run, and denying 1,000,000 unauthenticated requests is much easier than handling them on a public endpoint.
Getting a key is free and available to anyone with a Coinbase account, which is also free. Coinbase still has costs associated with running the servers and security, so they curb that by controlling usage.