The secret keys on the devices are unique for every device.
If a device gets compromised the secret API key grants access to the following:
- changing the device metadata
- reading metadata of the application associated with the device
- reading environment variables associated with the device
- reading environment variables for the application that is associated with the device
- reading build logs of the application associated with the device
But all secret keys on the device can be revoked by deleting the device in the dashboard.
If someone copies the SD card of a device and attaches it to another device, there will be no prompt for another device registration because the provisioning key is not available anymore on the device.
If you are interested this process is also explained in our docs in the security section: https://docs.resin.io/security/#device-access
Hope this answers your questions.