it seems that no permission limits are enforced when using api - logged in as monitoring access with read only access to single hostgroup, was able to access all configured hosts, all user information including password hashes etc