Service Account Access

@pdxuser

enabling an API be default to be on is bad practice

Service Accounts don't make use of an API – they interact with items and vaults using the same methods as a human user would using the app, just through the command line, rather than graphically. The switch shown to allow Service Accounts access to a vault is functionally similar to the "Safe For Travel" switch.

Turning off "Safe For Travel" essentially tells 1Password not to show that vault to anyone on any of the 1Password apps.
Turning off "Service Account Access" tells 1Password not to show that vault to Service Accounts anywhere.

The switch is more about your privacy from Service Accounts, rather than anything to do with security. You would have to deliberately sign in to 1Password.com, go to the Integrations Directory, then click "Create a Service Account" and follow the steps from there to create a Service Account.

Even then, that Service Account isn't going to do anything until commanded to do so. To make it do something, you would have to then set up an automation for it from the 1Password command-line interface.

It prevents inadvertently setting up CLI credentials

There are no separate credentials required for the CLI. If you, as a regular user, want to use the CLI, you would use your normal sign-in details of email address, Secret Key, and account password.

Experts who are setting up CLI will know that the switch needs to be toggled to "on".

Users who are using the CLI don't have to set up Service Accounts to do so – they can use the CLI using their own sign-in details. As such, the Service Account Access toggle will do nothing.

In summary then, for the Service Account Access switch to have any effect, there must be at least one active Service Account set up on your 1Password account, and that Service Account needs to have an automation assigned to it. Unless both of those things are true, then that switch's position won't matter at all.