What Happens When You Give a Salesforce Profile Permissions to No Apps?

In our current project, we're integrating Salesforce with a backend, user registration database for a mobile app. After users download the mobile app and register their accounts, their basic profile information (first name, last name, username, birthdate, etc.) is captured in a database. My service team wants these users captured in Salesforce as contact records.

One of our agile teams have implemented the database, and is pushing the data into Salesforce using REST API call-outs.

For the initial proof of concept, we gave them a Salesforce user account configured with a System Administrator profile. I know, however, that several team members now have the username and password for this integration user. It's time to move that user account to a new profile, and start locking it down -- so that it can only do what I need it to do: insert new registered users, and update Contact records (in case a user changes any of their information in the mobile app).

There are a number of settings I know I'm going to want to set -- like preventing the password from expiring for this data migration user. I'll also want to set profile so that users can have API access only -- no ability to login via the standard salesforce login pages. There are probably a bunch of other settings I'll want to make, too. I figured the best way to start was to look at the profile, and review it's configurations top to bottom.

The first config setting to go through was Assigned Apps. Now I know that this profile is going to be eventually locked down so that it can only access salesforce via the API -- but what happens if some future admin removes that setting? If users do somehow get access to salesforce via the standard login page, I want their actions to be highly restricted (this org may contain sensitive information; and I want to make sure the profile can only access the things it needs to access).

But what happens when you give a salesforce profile permission to NO apps? I didn't know -- and a quick Google didn't turn up much either. So, I config'd it up.

As it turns out, it's not possible to give a profile permission to NO apps. You have to select at least one. So I gave my Data Migration profile permission to the App Launcher only. That had the desired result: clicking the app launcher menu showed no available apps for the user to select from. That's just want I want.

Now to whip through the other config settings.