The $100/provider cap framing is right but it's not the whole story. Stripe is doing what issuers have done on consumer cards for a decade: single-merchant velocity rules, tokenized PANs, programmatic spend caps that update over network. The new bit is that they're exposing it as an API for agents instead of as a policy on the issuer's side. The cap also runs on the same tokenized credential the provider sees, so revocation propagates without re-onboarding.
Where I'd want more detail is the OAuth flow against existing accounts. If I already had a Cloudflare account before Stripe Projects, what's the trust model when an agent provisions against it? Identity binding for fresh accounts is clean, but the wire from existing-account to tokenized agent credential is usually where edge cases surface.