GraphQL API requires to be authenticated in order to process requests.
In order to obtain access to API resources, an API key is required to be sent along with the appropriate GraphQL query as an HTTP header -
By default API key grants you access to queries - which means you can only read data. If mutations(write) access is required you need to specify write access on key creation.
A regular API key provides you with access to the entire set of products. It is also possible to limit that by assigning a segment while creating the key. If assigned the consumer will only have an access to the products which are available in the specific segment. This also means that, if write access is granted, you'll be able only to modify the data of products available within the segment.
The only exception from that is when the product is created in batch request with further mutations - though possibly not yet part of the segment since you are the creator of it you can modify its data within this request.