I can understand if the warning does not necessarily imply that the user is granted more than is listed on the page. This is clarified in our more specific documentation on API Tokens and the permissions given here:
Use caution when you assign the following ACL privileges:
- Everything — This allows an API token user access to the entire system. A user with this token can perform all root user functions.
Where the API functions are concerned, you must have root permissions to affect an account that is not your own or that is not owned by your user. With the way that the system is designed, this is a blanket scenario. Either you have permission to affect users that aren't yours, or you don't, and this is reflected in the Everything flag: this token is to be given permission to affect all users on the system. Where the API functionality is concerned, being a token of the root user does not automatically grant you root permissions, which is what is necessary to do certain functions and to affect users that do not belong to you.
This is reflected more clearly in a different scenario. If you were using these tokens created by a reseller account, you would have full access to suspend and create accounts that you own without these permissions blocks because the only accounts that the reseller can see and access are those that it owns. If you were to put in the name of an account that the reseller does now own, then you would get the same error messages. This same functionality is applied to the root user within the token system, as to the system, all users are the same. A root-user-created token isn't given any priority unless it has the root