Nope. Even if the API were used illegally it still doesn't make it right to make threats of possible usage of physical force. Ask nicely and/or send a DMCA, period.
The DMCA absolutely applies here, since the whole request was for the repository on Github to be removed, and Github is an American website that follows American law and receives DMCA requests.
It's my understanding that Github also operates in China and has to follow Chinese law, so that Chinese citizens are allowed to use it. Maybe you can advise on Chinese law? I don't see why it's not right to get the police involved if it turns out to be a criminal matter in China. (Not saying it is, I don't know)
DMCA absolutely does apply here, as Github is an American company and has to follow it to keep its safe harbour status.
There's also no indication that Xmader is a Chinese citizen. The Anti-CPP message on his profile could also mean he's from Hong Kong, Taiwan, or anywhere in the world. The person making the threat seems to be Russian and MuseScore seems to be registered in Belgium.
Even if China could be involved, if MuseScore prefers to solve this using physical force (their words) rather than a simple DMCA, that paints them in an even worse picture than anyone ever in the history of open source.
This was a mafia-like threat, plain and simple. There's absolutely no justification for it, even if it's possible to happen.
Maybe the company has more information than you do, we don't know that. I certainly hope anyone in open source feels safe to call the police when a criminal violation is happening, regardless of what it is. Again we can debate individual laws and individual enforcement actions, but comparing any laws or police anywhere to the mafia is nonsensical. Let's focus on the facts.
As explained, there is no violation here, since the API was being used as intended.
Also, considering the owner of the repository considers the Chinese state a dictatorship, it's pretty fair to assume "calling the Chinese police on him" doesn't mean anywhere near the same as it means calling the police in Europe or America. This is clearly the worst kind of threat you can make to this developer.
You seem to be giving all the possible benefit of the doubt to the company while giving less than none to the repository owner, even when they provided information about how what they're doing is not breaking the law, and provided a proper way to solve the issue, DMCA. At the same time, the company hasn't provided much.
I don't see why anyone should assume that the company knows anything more than that but is still resorting to threats instead of solving this the easy way.
The accusations don't have a leg to stand on, otherwise a simple DMCA would have solved the issue, period.
EDIT: Also, I don't see how this conversation can continue. If you don't see a problem with calling the CCP police on someone whose only personal information we know is that he's anti-CCP, then I don't think we have enough ethical common ground to even continue this discussion.
If the complaint is as easily dismissable as you say it is, without apparently even needing the consult of a lawyer experienced in Chinese law, then it seems no harm was done. The repository is still up months later, so that's where I'm giving credit to the repository owner. And obviously if the person is not a citizen of China then talks of investigation by the Chinese police wouldn't really be relevant, so again no harm done. The letter can be dismissed without needed to post it on Github and make an issue of it.
However I would still encourage open source authors to be educated on Chinese law and to avoid telling Chinese citizens to do things that could potentially get them arrested in China. If there is a real legal threat there it's irresponsible to ignore it. So in the end it's probably good that it was posted on Github.
Edit to respond to your edit: That's not my view. The issue is that the police have already been called by a different party. (or the equivalent of it, i.e. the company is contractually obligated to contact the government in the event of a violation, under threat of legal action from that government) The email appears to just be informing them of that fact. In my view, that is the only responsible thing to do. The only other option is to just not inform them, and have the police show up anyway.
You just said "Let's focus on the facts" but you are presenting another invalid theory. The email specifically mentions that nobody was contacted: "Otherwise, I will have to transfer information about you to lawyers who will cooperate with github.com and Chinese government...". The email is just a threat to install fear on the maintainer. There's no Chinese police involved yet, no laws being broken, no private API being used, no DMCA, there's nothing. You're grasping at straws. Please stop defending the indefensible.
Again, they may be under a non-negotiable contract with a government to say that. The replies further down the issue seem to suggest that is the case. I don't defend the actions of the parties responsible -- But the fact is if there are no Chinese laws being broken, I don't believe you or I are in the position to make that judgement, or at least that case hasn't been made so far. If your concern is with an oppressive government, please don't attack people who are also being oppressed by that government, and please don't suggest people ignore potentially real threats that could get them arrested by that government. I agree with you, I don't want the author of this software to get in legal trouble.
Again you're making conjectures and not sticking to facts. The only person attacking a person oppressed by the CCP is the MuseScore developer. He's also the one threatening to involve the CCP. And you're being an apologist for them. It wasn't an alert, nor an attempt to make the plugin legal. The "Otherwise, I will have to transfer information" is a pure and simple threat. And you're the one making excuses for that behaviour.
If this is a real threat then MuseScore really handled it the worst way possible and they should be ashamed for purposefully threatening to endanger a CCP citizen. If it's not, it's just a mafia-style shakedown.
Once again: if you don't see a problem with calling the CCP police on someone whose only personal information we know is that he's anti-CCP, then I don't think we have enough ethical common ground to even continue this discussion.
Again, musescore may already be involved with the CCP for contractual reasons. Basically all companies who do business in China are involved with them in some way. These things happen for reasons beyond their control, e.g. an investor sells everything off to foreign investors who then change the terms. If you're being careful, you have to assume they are already compromised. I don't apologize or make excuses, it's just basic safety. My view is that if this person is really worried about threats coming from a government, it would be wise to take those threats seriously. Github profiles are public, so it's not exactly hard for them to find this information.
Edit: I agree with you that if this musescore developer is lying about that, then that would be wrong of them. But I don't think I have enough information to make that judgement. So I think that's where we're disconnected. At least for open source projects, my view is to take any and all potential legal threats seriously until the matter is resolved with the lawyers.
The DMCA absolutely applies here, since the whole request was for the repository on Github to be removed, and Github is an American website that follows American law and receives DMCA requests.