> Why would an API key (regardless of its scope) be able to delete without confirmation?

What do you think an API is for? There's no user sitting at the keyboard when an API is called so where would that confirmation come from? It can't come from the user because there is no user.