This is precisely the difference. By having a passphrase which is selected by the user, having access to the api key and secret key (database dump or otherwise), will not allow the attacker to create phony API requests. The API still generates a strong secret key for signatures which is not user selected.

Previously (and with many current exchange APIs), if an attacker is able to get a list of api keys and secrets, and the exchange does not detect or react quickly enough, then the attacker can simply use the keys to make API calls as if they were you (no intercepting or other complex action required on the server by the attacker). Using a passphrase which is stored using a one way salted hash ensures that even with key access the attacker will not be able to make requests without knowing your user selected passphrase. The use of a passphrase sets up a shared responsibility to secure secrets between the client and the server without all of the required data being stored by our server to make the API request.