I would be hesitant as you are to give a business that might not have a verified reputation my API credentials. You are right, they could essentially do any API operations on your account that they want if they have those credentials. There are other products that the merchant could use such as the PayPal Commerce Platform that would simply have you "onboard" through PayPal to the merchant, then they could do a limited number of API operations, but this requires the merchant you're working with to build this out. Worst case, you could give the API credentials and closely monitor their actions, "removing and replacing" the credentials if you see they're taking actions you do not approve of.
I hope that helps!