I've learned that providing an APNS “Key (Cannot expire)” instead of an APNS “Certificate (Can expire)” will provide the app "access to all topics" for all apps within the organization ‘team’ that the key is forged from.
1.) Can someone elaborate on the specifics for what that means from a security prospective?
For instance, if my organization 'team' manages many applications under the same umbrella account and provides the same (or different) APNS key to each app, but one of the apps accidentally (or intentionally) wants to utilize the APNS key to affect the other apps, what are the potential consequences?
And, is it possible to create a new APNS key for each app to close any security concerns for multiple apps managed under the same account, or are we stuck with every key having access to all topics?
The concern over the "Key" would be if it escapes, then whomever has obtained it will be able to use it to send notifications to the apps under that team. It is the team's responsibility to protect it, and revoke it if there is a suspicion that it may have escaped.
It is not possible to have a different key for each app. If that is the required security model, then certificates is the way to go. The downside being they will expire and will need to be renewed (new certificates created and updated at the push servers) by the team who manages them.