Yes, they working exactly like this. We just extended the possibility to limit access earlier, on API key level.
If you use the default settings it will be the same as an usual unrestricted API key.
In other words - all old API keys were unlimited by default.
However, you, as a project owner, can have an access to the buckets by creating another API key without restrictions (i.e. with full unlimited access).
If you use only API keys for your patients, then you must strict each API key to only their buckets, and now it’s possible.
Otherwise, anyone with an unlimited API key from your project will have full access to the buckets, but not the content (if they use different encryption phrases).
This is one of the reasons why we have added this functionality.
The API keys was intended to give full access to the project, permissions expected to be added later, when you generate a shared access grant via
uplink share, and applications should use this access grant to have a granular access to only allowed objects and buckets.
But we figured out that there are such cases as you described - i.e. the user do not want to generate an access grant and uses only API keys, in such a case only application would decide regarding access limits.