For example, the article includes URLs like "/people/123". The security of having a leading slash in these depends on API base URL.
"https://api.hotstartup.com/v1" – safe
"https://api.hotstartup.com" – unsafe with ".evil.com/people/123"
I wouldn't really call this particular scenario a security issue, but allowing such things is a bad habit that will eventually bite. It's like not HTML-encoding values like usernames that you "know" are safe (but you know are not HTML-encoded).
If I visit an HTML page with a link to “.evil.com/people/123” and click on it, the user agent won’t append “.evil.com” to the hostname. You’d instead get something like “https://api.hotstartup.com/.evil.com/people/123” which would be safe (if not broken).