The paper references some threat models they considered. They suggest someone might "possess paired information (both original and watermarked content)" and therefore be able to undo watermarking. Presumably it's fairly easy to get identity operations out of image APIs that would result in this situation. I'm not sure that addresses echelon's main concerns though.