Possibly more a feature request (though don't see a section for SDK from Feature Requests)
I've noted after being asked by a 3rd party for access that there is some gap / tightening required for this to be achieved.
After setting up an account with no permissions just view only really {no admin/create/report/ack alerts etc.} and only able to view a limited bunch of nodes set by the account visibility permissions, that certain platform based queries could still be made.
Examples -
Orion.AlertStatus - showed all alerts regardless of account permission restricting from seeing other nodes
Orion.Accounts - platform wide user account visibility
Orion.ActionsProperties - details of a report not relevant to that user and if they ran the report from the WebUI then they would get 0 results.
Am I looking at this incorrectly / too deeply and this wouldn't be the case?