I noticed in two of our environments a new Account Admin was created called Catalog API (DON'T DELETE). We place restrictions on our top level account users and have been removing these types of accounts for a while. I assume Canvas has created this account for "Canvas Catalog" to function better. Do you have some meaningful documentation for it and can you tell me why you didn't go with a developer API key instead? it would have been more secure if it was restricted to just the API calls it uses.
Can you also confirm it needs every permission the LMS offers?
This account appears to be calling the following limited APIs over and over again. Can it have its access reduced or moved to a developer API KEY