https://discord.com/channels/613813861610684416/1234593264196128768/1234616114307272756:

from auth(Capability) &Account it is not obvious to see it can add keys for example (by issuing account capability)

basically, granting Capabilities grants everything due to the ability to issue an account capability controller

The same applies to AccountCapabilities – it might not be obvious that it effectively grants all account entitlements.

Document potentially dangerous entitlements:

• Contracts, AddContract: Allows adding a contract, which has access to the whole account
• Capabilities, AccountCapabilities, IssueAccountCapabilityController: Allows issuing an account capability controller, with potentially access to the whole account