Hi @unixdespair good night.
You can set the IAM Role for the user in the container level, if you set reader role, so this user will just can read the blobs inside your storage account and with it you minimize the access just to specific container.
However, if the user has one of the storage account Keys (Key1 or Key2) of you storage account, this user can do everything in this storage account until that the storage access keys has been regenerated, it's quite importante do not share de access Keys, i don't know if it's the case but, could use SAS(shared access signature).
I hope it can help you.
