From what I understand, when an API token is created, it grants full access to to a project/workspace including destructive actions. I don't see an option to restrict token's access scope.

I think that introducing tokens with granular control (like disabling destructive actions, restricting specific resources) would drastically improve overall security in cases where the token becomes compromised.