Are there instructions somewhere for what permissions Hotel Booking actually needs for Stripe so that I can use a restricted API key from Stripe instead of a general API key?
Best practice is always to grant least amount of access needed. Especially given that the key shows up in plain text in the settings and is likely unencrypted in the WP database, it would be nice to use a restricted key.
The instructions for setting up Stripe should probably be updated to recommend that to everybody.