The reasoning I heard (in finance apps context) is that while not stopping committed attackers, at least some script kiddies will be stopped without ever hitting the server side of things.

It's kind of pointless in my opinion as you should be able to reverse engineer the way things work with MITMing the server communication, but I guess burning developer resources is still fine to sell "our app is extra hardened" to the public or something.