Currently when a user creates a user API token, any usage of that token has the same rights as the user who created it.

If instead a user could restrict the scope of the token on creation, they could have API tokens that are tailored to their use case and inherently less risky if accidentally exposed.

The restrictions could be on read/write/update, site based, product based or even restrictions within the products themselves such as specific spaces or projects.