Yes. Although he didn't even ask which exchange it's from, which is kinda the point. API key is useless without the service. Bitcoin private key can be used regardless of any third party service.

CryptoSparks is trying to have it both ways here. He was claiming that if he gives an API key to the client (presumably from some account he created) - the client is "risk free" because the API key can act as a private key (see option 1 here - where he clearly says that he also has full e-mail etc access to the account). But if the client gives him an API key then it's also "risk free" if they key is enabled only for trading (option 2 in the above link).

Neither of these scenarios is risk free. I don't really care much about the rest of his word games.