This is not a problem because… he is the owner of the key (not your app…). This user already have access to everything this key give access.
Right. If you use API Connector to call your endpoint, you cannot set this as private endpoint. Take time to read this topic from @georgecollier Why your backend workflows might be your app's biggest vulnerability