An API key has been configured to have access to select user or device groups, but when a user/device related GET API call is used, it can view all users or devices.
Privileged Access Manager, all releases as of March 2023
The user to which the API key is associated is a member of a group that has access to all users/devices. The API key inherits roles from a user group the same way that a user does.
There is currently no functionality to limit which roles an API key inherits from a user group. As a workaround, the user can be removed from the user group and have all roles granted at the user level.