The answer all of my computer science teachers and professors and security websites gave me is: never trust the data. So, I would say, expect it to sometimes come back null, as you are seeing it that way. Always consider that the API could either return incorrect, bad, or missing data. This is something that I include in security training for my department at my job in fact. Developers are to always expect the unexpected.