Hi @Tyler_Kaye,
Thank you for your detailed answer. The security on this subject is indeed what I thought it was.
I think user-specific limits could partly address the concern. However, while anonymous authentication is enabled, a malicious user could simply create other accounts to make more requests. IP-specific limits could be used to prevent that.
In the end, what I was looking for is something similar to what Firebase did with Firebase App Check:
It’s a way to authenticate all requests as coming from the right client code. It would be an interesting feature to add to your roadmap.
Cheers