Protection from an app developer reading the raw sensor data and unlocking Face ID without you being present.

How? They can't access the secure enclave. If they make a fake 3D mask out of the map identical to your face, it's not going to work either, they've tested that.

This isn't Samsung dumping underbaked technologies on the world. Apple actually puts some thought into these things.

Sure, we know that. Consumers don't know that. Hence the marketing line about developers not having access to the "raw Face ID sensor data".

I think the concern is more around privacy the face data: Apple says they don't store it on their servers or track it, but how good a model of your face can they get from the depth map they get.

E.g., would Snapchat or Facebook now be able to pull a 3d model of the face of all their iPhone X users into their own servers?

What is the specific attack vector you're concerned about? How do you imagine one would weaponize the depth map?