@EliDaniel - I’ll have to check on /user/search and /issue/<issue_id>/changelog since what you’re describing is unexpected. Usernames and user keys should have been removed and replaced with accountID regardless of auth mechanism.
In terms of the application of profile visibility controls, the set of data returned when an API token is used is similar to a user session, whereby the user who’s API token you’re using will have their private data returned (as if they were looking at themselves) but public data for everyone else. Apps can only see public data.
The limitation with using an API token instead of an app is that if you were to want to access private data (e.g. email addresses for other users on your system) for the purposes of syncing users across systems, we would not be able to provide access to the restricted email API (described here).