Why does subscribing to webhooks require Protected Customer Data approval, but querying the same data via Admin API does not?

We have a public app on the Shopify App Store, and we want to identify which of our installed stores have a real B2B use case — stores that have created companies and are actively using Shopify’s B2B features. Webhooks let us detect this in real time instead of polling the Admin API across all stores. We can query company data via the GraphQL Admin API without issues if we have the read_companies access scope but subscribing to webhook for the companies/create and companies/update fails with below error -

This app is not approved to subscribe to webhook topics containing protected customer data.

The same data is accessible via the Admin API without Protected Customer Data approval but blocked behind it for webhooks. If this data is protected, shouldn’t the API also require approval? If it’s not, why do webhooks need it?

The Protected Customer Data docs don’t explain this distinction.

Also along the same lines, what is the recommended way to identify which stores have a real use case for B2B, or are actively using B2B features using the Shopify Admin API, that enables our app to support B2B storefront properly.

But if you were to query the following, without read_customers or protected customer data, does it work or throw an error?

companies(first: 10) {
  egdes {
    node {
      contacts(first: 10) {
        edges {
          node {
            customer {
              firstName
              lastName
            }
          }
        }
      }
    }
  }
}

Yeah it does throw an error with read_companies access scope granted but no read_customers. The customer field is blocked:

"message": "Access denied for customer field. Required access: `read_customers` access scope."

And that’s okay for us, since we don’t need any customer data anyway. But we need the companies/create and companies/update webhooks, which don’t include any customer data either as given in their sample payload -

{
  "name": "Example Company",
  "note": "This is an example company",
  "external_id": "123456789",
  "main_contact_admin_graphql_api_id": "gid://shopify/CompanyContact/408372092144951652",
  "created_at": "2021-12-31T19:00:00-05:00",
  "updated_at": "2021-12-31T19:00:00-05:00",
  "customer_since": "2021-12-31T19:00:00-05:00",
  "admin_graphql_api_id": "gid://shopify/Company/408372092144951419"
}

We are able to access these exact same fields through the GraphQL Admin API without having protected customer data access for our app, so my original question still remains, the same data is accessible through GraphQL Admin API but restricted through webhooks, why?