I sort of disagree that it's commoditised, since the most popular email API would have the moat of being included in every spam filter whitelist. By choosing Sendgrid, paying them for the service and getting their IP ranges you guarantee that you get the greatest chance of getting your email delivered. That commands a premium.
Yeah you can go for Amazon SES or Mailgun or something, but they are used to spam too, Amazon SES to an even greater extent.
You are also guaranteed to get whatever the latest email innovation of email delivery they come up with as one of the early adopters. If they decide to deprecate SMTP and build something more secure, private, easier to authenticate and identify, you get that for "free" without having to change your code.
I see Sendgrid as a relationship maintainer between developer and Gmail/Outlook/Yahoo/long tail of other email providers. You pay them and they make sure your emails show up in those inboxes.
Sendgrid has issues with hacked accounts, which is probably their biggest struggle right now, but even then they have things like reputation. A hacked account would very quickly dip their reputation and be excluded from delivery anyway, without affecting the platform at large. They push 2FA tho, and I think some sort of automatic api key rotation system would be a nice remedy too.
Ultimately, Sendgrid maintains risk on per-account basis. Email providers understand that too, even though SMTP as a protocol and spam filters don't necessarily reflect that. Sendgrid as a platform is never under threat, individual Sendgrid accounts are.
