In your use case, you should not allow any user to login to Adobe campaign as Jon mentioned there are couple of security concerns when you allow a user to login to your marketing database even via API.
The recommended way will create a middleware API(for this particular microservice) endpoint which should act as a bridge to your system from the outside world. Cheapest way will be to use Amazon lamda based function where you can easily measure the data usage and at the same time restrict them to a certain function from, Adobe campaign.
The data flow would be :
Third-party system: Read data API(AWS): authenticate the request: Get the data from Adobe campaign.
Third-party system: Update data API(AWS): authenticate the request: update the data in Adobe campaign.
As for the "nothing else", I would also like to limit one's ability to use factory schemas like xtk:session's methods, because if the user has access to those, he'd be able to do Write, so essentially insert/delete as well.
Also, what do you mean by cosmetic and what does the documentation mean by "This restriction applies only to non technical users: a technical user, with related permissions, or using a workflow, will be able to retrieve and update data."? That this can be easily bypassed if a user really wants to?