Hi,
1) Yes, the only way that I'm aware of integrating AEM and DTM is via the API token that is user specific.
2) Yes, the API token is user specific and carries the permissions associated with that user. If the user has access to more than just the web property they are sharing with you, in theory, would have the ability to change other web properties. A quick solution to this would be to create a user with access to only that one web property and use the API token for that user for the integration.
Thanks,
Jantzen