Thanks for your valuable feedback, will definitely work on it.
Regarding your query, please find my answer inline and let us know if any other help required from our end:
What confused me is that I was able to add a simple JSON document using only API Key and SECRET key. So who is able to access this document? Does it belong to someone? In the FAQ "Security" it's written that "In ACL enabled app, it is required to pass sessionId of user who is making call." I haven't used any sessionIs as I don't have any user in the TEST db. That did not prevent me from adding my simple JSON doc. So required or not ?
Ans: It is because of the document which you insert in Storage service is inserted as a ANONYMOUS USER. In this case, anyone can access this document and update it. Using the session id or admin key document is bind with the owner name for whom the session is associated and later on only that user/Admin(Using the admin key) will have access to update the document.
Ques: The same page use the the term PUBLIC/READ or PUBLIC/WRITE or PUBLIC/ALL. Are they reserved ROLE ? What do you mean by ALL ? WRITE should obvously grant READ access ... Does ALL mean there are others reserved ROLES ? The "Create User With Role" API example, add Admin, Manager, Programmer, Tester roles. Are we talking about the same kind of role and ACL ?
Ans: Role in user service is not related to ACL. It is a role which you assigned to your app users. For example: If you have E-Commerce app over there you have two type of user. 1 is Buyer and 2nd is Seller. So you can assign role as buyer and seller.
Yes, you are right if you have PUBLIC WRITE access that means you have READ access as well. It is just a representation of Form and I would suggest my team to have a look into it and remove it they can.
Please feel free to let me know if you need any other help from my side.
For more details on ACL, please go through this tutorial.