It's also the API design of many IaaS/SaaS providers. It's often extremely hard to limit tokens to the right scope, if even possible.

Most access tokens should not allow deleting backups. Or if they do, those backups should stay in some staging area for a few days by default. People rarely want to delete their backups at all. It might be even better to not provide the option to delete backups at all and always keep them until the retention period expired.