I noticed a major privacy problem with API 2.0 while testing out the possibilities of restricted permissions for normal users:
Using the command https://analytics.adobe.io/api/[mycompany]/users?limit=[XX] a normal user can get a list of all users in a given organization. This may pose a privacy issue as a normal user should not be able to see the usernames, admin status, email, first & last name, phone number, and title. Those are highly personalized information on any given user. Usually, I would think that only admins can get access to this information. Even though a "normal" user has no writing rights to manage, change or create users this is still a problem.
Client Care says that the function is working as intended but this feature should not be an intended function for API 2.0. Please change this so that only admins can use this function and normal users only get information on their own account with https://analytics.adobe.io/api/[mycompany]/users/me.