I'm unsure if this is by design or not, but any user with API permissions to create a connection (haven't tested updates or other endpoints) is able to add an arbitrary field. You will get a successful result back mirroring the data you added. If you open a web inspector and navigate to the connection properties you will see that information in the response.
For example, I can tell the API to write test to data field thisisfake and it will write it and display it.
I'm unsure if this is by design or not, but any user with API permissions to create a connection (haven't tested updates or other endpoints) is able to add an arbitrary field. You will get a successful result back mirroring the data you added. If you open a web inspector and navigate to the connection properties you will see that information in the response.
For example, I can tell the API to write test to data field thisisfake and it will write it and display it.