Out of game management of things such as skill queues, industry, and market orders are, from a player standpoint, a definitive ■■■■ that ■■■■ request. The last thing you’d want is people being able to use the out of game tools to program bots, which is also why ESI is read-only for industry and market orders.
As for your api keys, those are only relevant to XML/CREST, deprecating between December and May. And you understand that ESI tells you exactly what someone is asking to see? See this as an example. It’s very explicit in what it asks you to allow. Dont want it to be able to do that? Hit cancel and go about your life. Change your mind later on? That’s a bit more difficult 'cause the SSO team is bogged down by literally everything and the interface for doing that is a bit more tedious.
And as @Steve_Ronuken has said, ESI application devs (not ccp devs) cannot use any information provided by a user’s access authorization in an EVESkunk style. We do, CCP shuts down our app access and quite likely bans us from being able to develop any other apps (you need an eve account to log in to the app dev site). Frankly, EVESkunk was only possible because people dont periodically invalidate their old API keys, and the XML api provided a means for scraping through evemails to siphon off more keys, which yielded more points of entry for an eve-style ‘wiretap.’ If Steve tried that, he’d be out the door as an ESI app dev damn quick, and would crash and burn his reputation as well