It is possible to secure content publishing by limiting API keys to only specific sources. This enables giving least permissions to API keys and avoid any malicious use.
If you use an API Key that is only meant to publish content from a given application, you can now change the role associated to this API Key to Content_Publisher instead of KHub_Admin, and then edit the corresponding source configuration where this API key is used to allow it to publish.