On AWS, you can restrict an Access Key / Secret Key to certain S3 bucket(s). This way, your app A can hack bucket X, and your app B can have bucket Y, but if A gets compromised, It won't be able to delete files from Y.

It is way too complicated on AWS, but very powerful.

Being able, on Digital Ocean, to check "all Spaces" or "Space A" or "Space A + Space B" for a given Spaces access key would be great. Like selecting "all repos" or "repo A" on Github !