diff --git a/internal/googleapi/client.go b/internal/googleapi/client.go
index 40a77d73..1642d407 100644
--- a/internal/googleapi/client.go
+++ b/internal/googleapi/client.go
@@ -99,7 +99,7 @@ func optionsForAccountScopes(ctx context.Context, serviceLabel string, email str
 
 	var ts oauth2.TokenSource
 
-	if serviceAccountTS, saPath, ok, err := tokenSourceForServiceAccountScopes(ctx, email, scopes); err != nil {
+	if serviceAccountTS, saPath, ok, err := tokenSourceForServiceAccountScopes(ctx, serviceLabel, email, scopes); err != nil {
 		return nil, fmt.Errorf("service account token source: %w", err)
 	} else if ok {
 		slog.Debug("using service account credentials", "email", email, "path", saPath)
diff --git a/internal/googleapi/service_account.go b/internal/googleapi/service_account.go
index 021963c5..6455b54e 100644
--- a/internal/googleapi/service_account.go
+++ b/internal/googleapi/service_account.go
@@ -25,7 +25,7 @@ var newServiceAccountTokenSource = func(ctx context.Context, keyJSON []byte, sub
 	return cfg.TokenSource(ctx), nil
 }
 
-func tokenSourceForServiceAccountScopes(ctx context.Context, email string, scopes []string) (oauth2.TokenSource, string, bool, error) {
+func tokenSourceForServiceAccountScopes(ctx context.Context, serviceLabel string, email string, scopes []string) (oauth2.TokenSource, string, bool, error) {
 	saPath, err := config.ServiceAccountPath(email)
 	if err != nil {
 		return nil, "", false, fmt.Errorf("service account path: %w", err)
@@ -45,6 +45,11 @@ func tokenSourceForServiceAccountScopes(ctx context.Context, email string, scope
 		return nil, "", false, fmt.Errorf("read service account key: %w", readErr)
 	}
 
+	// Keep-specific service account files should only be used for Keep.
+	if serviceLabel != "keep" {
+		return nil, "", false, nil
+	}
+
 	// Backwards compatibility: Keep used a dedicated stored service account file.
 	keepSAPath, keepErr := config.KeepServiceAccountPath(email)
 	if keepErr == nil {