Made clear that installing from pypi requires `read_api` only.

What does this MR do?

This MR makes it clear that users do not to issue access tokens with api to download a package from pypi, thus reducing the token's permissions to the minimum required (read_api).

Does this MR meet the acceptance criteria?

Conformity

(I have left the items below unattended as they do not seem applicable to this MR)

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Security

This MR does not contain changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines.

However, this MR helps users reducing the risk of escalation of privileges because they can issue a token with lower privileges than previously recommended.