I'm just thinking loud here.

I guess this is only present for backward compatibility, specifically for old Facebook Connect implementation and REST API where the APP_KEY was used.

As you can see in the FB.init Javascript-SDK:

<div id="fb-root"></div>
<script>
  window.fbAsyncInit = function() {
    FB.init({
      appId  : 'YOUR APP ID',
      status : true, // check login status
      cookie : true, // enable cookies to allow the server to access the session
      xfbml  : true  // parse XFBML
    });
  };

  (function() {
    var e = document.createElement('script');
    e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js';
    e.async = true;
    document.getElementById('fb-root').appendChild(e);
  }());
</script>

They don't mention the apiKey which is the code used with the NEW PHP-SDK.
Now if you go to the old connect-js example:

FB.init({ apiKey: '48f06bc570aaf9ed454699ec4fe416df' });

So debugging the connect.facebook.net/en_US/all.js file (using JSBeautifier):

FB.provide('', {
    init: function (a) {
        a = FB.copy(a || {}, {
            logging: true,
            status: true
        });
        FB._apiKey = a.appId || a.apiKey;
        if (!a.logging && window.location.toString().indexOf('fb_debug=1') < 0) FB._logging = false;
        FB.XD.init(a.channelUrl);
        if (FB._apiKey) {
            FB.Cookie.setEnabled(a.cookie);
            a.session = a.session || FB.Cookie.load();
            FB.Auth.setSession(a.session, a.session ? 'connected' : 'unknown');
            if (a.status) FB.getLoginStatus();
        }
        if (a.xfbml) window.setTimeout(function () {
            if (FB.XFBML) FB.Dom.ready(FB.XFBML.parse);
        }, 0);
    }
});

You can see here that it's checking the presence of apiId or apiKey and then trying to call the graph api and else the rest api:

FB.provide('', {
    api: function () {
        if (typeof arguments[0] === 'string') {
            FB.ApiServer.graph.apply(FB.ApiServer, arguments);
        } else FB.ApiServer.rest.apply(FB.ApiServer, arguments);
    }
});

And:

graph: function () {
    var a = Array.prototype.slice.call(arguments),
        f = a.shift(),
        d = a.shift(),
        c, e, b;
    while (d) {
        var g = typeof d;
        if (g === 'string' && !c) {
            c = d.toLowerCase();
        } else if (g === 'function' && !b) {
            b = d;
        } else if (g === 'object' && !e) {
            e = d;
        } else {
            FB.log('Invalid argument passed to FB.api(): ' + d);
            return;
        }
        d = a.shift();
    }
    c = c || 'get';
    e = e || {};
    if (f[0] === '/') f = f.substr(1);
    if (FB.Array.indexOf(FB.ApiServer.METHODS, c) < 0) {
        FB.log('Invalid method passed to FB.api(): ' + c);
        return;
    }
    FB.ApiServer.oauthRequest('graph', f, c, e, b);
},
rest: function (e, a) {
    var c = e.method.toLowerCase().replace('.', '_');
    if (FB.Auth && c === 'auth_revokeauthorization') {
        var d = a;
        a = function (f) {
            if (f === true) FB.Auth.setSession(null, 'notConnected');
            d && d(f);
        };
    }
    e.format = 'json-strings';
    e.api_key = FB._apiKey;
    var b = FB.ApiServer._readOnlyCalls[c] ? 'api_read' : 'api';
    FB.ApiServer.oauthRequest(b, 'restserver.php', 'get', e, a);
},

As you can see here, it's used with the Old Rest API, reading the documentation there:

The REST API supports both OAuth 2.0 as well as an older, custom authorization signature scheme. See the authentication upgrade guide for information about how to upgrade your existing sessions to OAuth 2.0.

So the APP_KEY is definitely there for backward compatibility!