HIBP offers you a way to validate a password has been compromised, HIBP does not offer you a way to determine it has not been compromised or is otherwise suitable for use. It’s a service for excluding compromised passwords from use.
How does this work?
2 cases:
1. I know password P is compromised. I check it in HIBP. If compromised, great, but I already know that. If not, well, too bad. I still can't use it because I know it's compromised. - decision doesn't depend on the result of HIBP.
2. I don't know if P is compromised. I check it in HIBP. If compromised, I don't use P. If not, I don't use P because I already put P in a text box connected to the internet. - decision doesn't depend on the result of HIBP.
Don't get me wrong, I'm well aware of the value of HIBP. I'm just arguing about this particular use case.