Well, this was not some 'misunderstanding', it is more like a new feature(V2 API) was rolled out and people are unaware of this, this was a new addition over V1, from the author's own blog:

'Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2.'

https://www.troyhunt.com/introducing-306-million-freely-downloadable-pwned-passwords/

IMO, there should be an option to toggle and disable this, some people(including me) may not want to transmit password to that site.