Is the security a bit too open here?

Great plugin. However, I’m a bit concerned about security. You say that the service account needs Storage Admin permission, and then in the settings are revealed bucket name, folder name and the JSON credentials. This is ok for my own site, but I develop sites for other clients. I provide a managed service, so I’m responsible for setting up the WordPress site and deciding what plugins are needed to deliver the most appropriate affordable service for the client. I think my clients would benefit from having this plugin and I’d like to provide buckets in my own Google Cloud Platform account to store their assets. But that means revealing credentials to my client, for a service account that could be used to access other folders and buckets. Am I missing something? Is there are way to mitigate this? I’ve looked quite thoroughly at the permissions available within GCP. IAM is too broad and although the documentation says that ACLs can be used for fine grained control over permissions, I tried setting them up but the edit page tells me ACLs can no longer be edited via the GCP console. Any advice for how to get around this? Thanks.