Which of the following statements is true regarding Shopify's API permissions?

Shopify's API permissions must be explicitly granted by the merchant. This means that when a third-party application requests access to a store's data via the API, the store owner has to review and approve those permissions. This approach ensures that merchants have control over what data they share and with whom, enhancing security and privacy within the Shopify ecosystem.

Explicit permission also allows merchants to understand the specific functionalities they are enabling for an application, making them more informed about how their data will be used. Thus, the requirement for merchant approval reflects Shopify's commitment to safeguarding sensitive information and supporting best practices for data protection.

Other options do not accurately reflect how API permissions work in Shopify. For instance, automatic granting of permissions does not provide the necessary oversight for data security. Permissions are not limited to public applications, as private applications also require explicit permission. Additionally, since permissions are tailored based on the specific needs and approvals of each merchant, they are not uniform across all users or stores.