Well, if you create a powerful token then anyone that gets access to it can indeed do intense damage. HTTPS makes sure the token is not exposed over the network itself from the API user (that is some sort of client application) and the Baserow server.
Where/how do you use the token? I am not familiar with AppGyver, but I assume that it will generate an application from which this token needs to be used? If that’s the case, your concern about embedding a powerful token like that is pretty valid.
I’d say that for apps like this that will run on devices/servers you don’t control it is better to authenticate users based on their own credentials and use time-limited JWT tokens. In this case any user that would be authenticated will have their own token, with permissions set to them directly.
We plan to introduce better access control in the near future so we are happy to hear about any permission-related wishes you might have.