There were many people taking part in this discussion but I’m just going to take all the credit for providing the summary here. Contributors can claim the free drink from me when we meet.
If you are planning to use alternate keys to access CRM data, keep in mind that the fields with field level security applied are not available for selection as a part of a key.
If you have an existing key and try to apply FLS to one of the attributes, you will be knocked back:
The field Foobar is not securable as it is part of entity keys ( Barbaz_key ). Please remove the field from all entity keys to make it securable.
It all makes sense if the field is secured for creates and updates, it’s a pity that the rule is a blanket one and covers read permissions as well – it would make perfect sense to secure the key attributes as read-only for majority of users and only enable create/update for a selected group.