XML-RPC is a mechanism originally implemented into WordPress to publish content without the need to actually login to the backend. It is also used to login to WordPress from devices other than desktop, or the regular wp-admin interface. For example, the WordPress iOS app utilizes XML-RPC to log in to WordPress.
As most WordPress site administrators won’t use either of these functions, it is recommended to disable XML-RPC to prevent abuse. XML-RPC is known to be abused for brute-force User Enumeration attacks. Using a single command, hackers can try hundreds of username/password combinations. Also the xmlrpc.php file is used to execute DDoS attacks, using the pingback feature.
The WordPress REST-API is considered to be the more convenient and secure alternative for plugins and other applications to exchange data.