as best I can tell (the reasoning for both methods isn't documented anywhere I can find it), your guess is correct.
Please take anything I say here with a grain of salt, I'm not part of Fortinet's API team, I've just experimented with the API a bit and have access to some additional documentation (where that header option comes from).
For API admins with token, by default you can't set a super_admin profile, and it is strongly recommended to create and restrict an admin profile for API admins to only the necessary privileges, probably due to exactly what we've discussed here, the token is not exactly secret.
I don't know if you have access to the Fortinet Developer Network (fndn.fortinet.net) - there is extensive API documentation available, and forums discussing API use cases. If you don't have access, you can reach out to your Fortinet Sales representative regarding getting sponsored for access.
Hope that helps :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++