In most cases, those APIs are both remotely accessible and wrapped into a web-based user interface.
This combination is the cloud management plane, since consumers use it to manage and configure the cloud resources, such as launching virtual machines (instances) or configuring virtual networks. From a security perspective, it is both the biggest difference from protecting physical infrastructure(since you can't rely on physical access as a control)and the top priority when designing a cloud security program. If an attacker gets into your management plane, they potentially have full remote access to your entire cloud deployment.
Ref: CSA Security Guidelines V4

It is true. This is how Private cloud is defined.
Private Cloud: The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or by a third party and may be located on-premises or off-premises.

Redundancy has nothing to do with abuse of high privilege roles. All others can lead to risk of risk of
"abuse of high privilege roles" or "Cloud provider malicious insider"