I understand what you mean, but an attacker wouldn't be able to decrypt during a MiTM attack since SSL is being used -- regardless of cert pinning. An effect of pinning is losing the ability to perform a self MiTM to decrypt traffic; this post simply demonstrates bypassing that.

I was pretty sure of the 3rd party integration, but still am not sure why they're checking if the user's device is rooted. I suppose for payment processing, they consider it a security risk?

In the reddit thread the article links to it mentions people spoofing gps to fake checking in at places to get loyalty points. So even if Subway doesn't have something like that it might be that the 3rd party does and they are trying to prevent people from faking checkins?

That doesn't require root though, just enable fake locations in dev settings and use an app for it

Perhaps someone wasn't following the bug bounty rules?

You were spamming and rightly banned for it. https://www.reddit.com/wiki/reddiquette

I think the best solution is to not trust the client in assigning the perfectFitId. The login POST should be able to determine the perfectFitId for the user after login and maintain a session through oauth or other session management process.