TeslaFi gives the impression that there are two types of access token: Read/only ones, and "Control" ones. When you generate a token, you have to tell TeslaFi that you want a "Control" one for TeslaFi controls to be enabled.
Looking into this, it turns out that Tesla only has one type of token, and it allows complete control of the vehicle. I validated this by using my "Read only" token generated by TeslaFi in a small script using the API, and it could open doors, etc.
I think this gives people a false sense of security, and I would strongly recommend TeslaFi makes this clear, and dissociate whether to allow TeslaFi's controls to be enabled from the token generation. The situation is fine as long as TeslaFi doesn't get hacked or our tokens otherwise don't get out - but if someone gets your token, they can control your vehicle.
Customer support service by UserEcho