Is an API Necessary When Building a Customer-Facing Mobile App with Realm?

I am building a mobile app for release on the Apple and Android stores. I am using Atlas App Services aka Realm to handle user auth and data.

Currently, data calls in my development environment go directly to the database application, using the application ID. My question is, do I need to use an API endpoint (such as the Data API) to handle data calls and prevent malicious activity?

In the production app, users will be able to read and write data linked to their account. They will also be able to read data from other collections, as long as they are logged in with email/password.

From a security standpoint, are the Rules in the database application strong enough for a publicly available app? For example, what is stopping a logged-in user from spamming the database application with nonstop data calls?

I apologize if the answer is obvious. I’ve never used Atlas App Services before.