Root =/= insecure. You probably have administrator access on your home computer operating system, and can very likely do online banking via the web browser with no issues. A secure API is possible regardless of the host metal, operating system, or user permissions.
Do you refer to app-accessible root or user root access? The former is absolutely inherently insecure and compromises the security model of Android/GOS.
Root on computers is insecure. Malware can steal secrets from other applications. We're just used to it, but the Android security model is much better.
Bingo!
Compliance =!= Security