This can be a huge improvement on data security in the Shopify ecosystem.
Unfortunately, we are facing a use case that does not seem to be considered with the current implementation.
The API defines now some protected objects, like PriceRule or Order, because they may potentially contain customer data. If you want to access those objects, you must request protected customer data access, explaining how you treat the customer data.
However, we need to access those objects but we do not need to access any customer data.
For example, we use PriceRule to create a discount code. The object is protected because a discount code can be created only for a particular customer but this is not the case for us, we want to create a discount code that can be given to any customer. Similarly for the Order object, we only need to read the ids of the products of an order, we do not need any customer data.
The protected customer data access form does not have an option for this use case, so we cannot fill it with truthful answers (the questions are all related to how you treat the customer data that you gather).
We reached Shopify Partner Support to find a solution for this use case but they were not able to help. Hope someone here can point us in the right direction.