You don’t speak for Twitch; you only make authoritative-sounding statements as though you do. In reality, their compliance officers disagree with your assessment (or are incompetent because the man from the internet said).
GDPR does not allow divulging even selected private information, even to random non-employees who have legally-meaningless statuses like “moderator” and “broadcaster”.
The website never reliably showed all members of chat, so that claim could have always been made. In fact, it does publicly display a list of chatters. Publicly. Publicly.
The new chatters endpoint requires properly authorized moderator tokens to get any users in chat.
Publicly displayed information is highly privileged… for third party developers.
This would be an entire non-discussion if they provided equivalent information with equivalent authorization requirements. They don’t. Pretending otherwise doesn’t change the facts.