Kind of a self-defining question, isn't it?
If RO Person suffices for the project, then that's all they need.
My personal feeling is if a developer claims to not need even a temporary user (true UI user) account during a significant project, they're either supremely qualified or not really qualified. Most custom projects require more general knowledge of the instance than you can get from a tightly restricted API-only user. There are exceptions, of course, but you haven't told us what this pj is about.
My general best practices would be:
- As Sanford mentioned, its critical to verify that person to highly qualified before being given any access.
- Setup a role and related permissions that will give access to only what is needed. Even Read Only has more granular options. At the role level (permissions) and at the user level (workspaces). Ex: If all that person needs is to read assets, then give RO on assets only.
- Setup a separate user. You need this to report on specific source of API activity (and see who might be eating all your API calls!).
- Use user expiration if applicable. I.e. if all you are doing is data cleaning via API and that person needs only access for a couple weeks, then set an expiration date on his user.
- Compliance: If they give access to lead data, that might be a red flag for GDPR compliance as this custom solution will be considered as "data processor". Then...that's another topic altogether I guess!