Just want to make sure I got this right. Customers that claimed a device that belongs to a product can access most of the https://api.particle.io/v1/devices APIs but they are not allowed to access product and organization endpoints via https://api.particle.io/v1/products/:productId/devices APIs.
Customer access tokens cannot use any of the product or organization endpoints.
They also can only access a small subset of the user API, such as function and variable in the device endpoint. Most of the other endpoints such as flashing code, are not allowed for customer tokens.