This isn’t completely true. Twitter Cards are implemented through metadata tags in the website source. All the information for cards are described by this information. The Twitter app crawls the linked URL to strip out this info and displays it as a ‘card’.
Whilst the Twitter API won’t expose the formatted data inline, there’s nothing stopping third-parties from crawling URLs themselves and accessing the same information. With a little bit of work, Tweetbot could mirror the ‘cards’ functionality 1:1. Twitter might balk at it but I haven’t seen anyone toe the line yet to find out. I don’t think there is a rule (yet) that prevents it.