Personal Access Token API permissions - documentation

I'm uncertain what some of the explanatory text means when I'm creating a Personal Access Token.

Specifically, it says that if I grant API Scope, then it "grants complete read/write access to the API, including all groups and projects."

Is that really true? Or is it still limited by what I as a user already have access to see and modify? Surely I can't just exceed my granted permissions simply by using the API, can I?

In any case, is there also another (global?) layer of permissions that an administrator must set up in order to allow API access for the users on the system?