Since cPanel has released a new API, we should work out what exact ACL permissions are needed, instead of setting them to ALL, as ALL is not optimal.

Contact has already been made with cPanel on this, and they indicated:

 When you submit an API request without the 'all' ACL, regardless of the user, this is run under the context of a single user.

Details to be added here as an when they arrive.

FWIW, ACL on token is still "experimental" in cPanel, not sure when the feature will be considered as stable.