Here’s idea for a feature that would be useful in many products:
Regular account can request an auth token specifying the time frame during which it is valid as well as giving per-device list of functions and variables it is allowed to call/query. All limits optional (i.e. you can limit time, but allow all features or limit some features, but keep token until revoked, or limit one device but not the rest etc). This will need to come with the way to list all active tokens, with their names and descriptions as well as the the way to revoke them.
Whatever IoT device, it would be nice to allow primary account owner to share the secondary accounts with kids, visitors, service people etc, without exposing the keys to the castle.