I like the breakdown between the three. The first two make sense from an API standpoint, hence why we have policies that can specify the range of what a bad actor has access to. We do auditing on our side to keep tabs on anything that seems out of place