Returning DTOs is preferred because of below points:
You can hide sensitive fields (e.g., passwords, internal IDs).
Prevent exposing your full internal data model (which can change over time).
Return only the data needed by the client — not large unused fields like blobs.
You can tailor the DTO to the frontend's needs (nested objects, flattened data, computed fields).
Entities might have lazily loaded relationships (@OneToMany, etc.), which cause exceptions when serialized.
your persistence layer (entities) from being tightly coupled with the API layer.