Following the security principle of least access, it would improve security to offer a third API key that unlike the Content API key can access non-public content and unlike the Admin API key, only needs read-only access to things.
A full-text search engine that works private context would a great use of this. The service doesn’t need permission to post or delete photos, so using the admin API key has extra risk here.