Now only the privileged account can access the privileged api, this is true.
However, I think the get_resource_limits should be take out of it because it is just a get-action.
1. My contract can know how much ram or net or cpu has been used when an inline action is executed, then it can decide if to accept it or not.
2. When I transfer token to others, if others’ account take your ram, then you can monitor it and let the transfer fail.
Now we can only get account usage with the RPC, but not in the contract, is it right?