Vault policy to issue/create a certificate (trying to harden vault)

I am using this policy:

path "pki-int/*"
    capabilities = ["create", "update", "read", "list"]

I am creating the token later with this:

vault token create -policy=my-policy

It works, and I can request certificates, but I wonder if because of the update option in the policy, this could not be a security risk for someone with that token to update the intermediate root CA?