Is it possible to limit a user's permissions scope to prevent him from accessing (using the external API mechanism) all the models except a few ones?

As the very first test, I tried to block all the models:

• create a brand new and empty Group (User types/API) - no Access Rights or Record Rules added;
• add a user to it;
• remove the user from any other Groups (like "Internal User");

But, when I log in and request a model using API calls - it works, just like all the needed permissions have been granted!..