While going over security, I found out all REST endpoints for cloud functions can be accessed without using _ApplicationId:
Check here, it returns a (hello world) result without needing _ApplicationId:
https://5q6ce5oht43m.moralis.io:2053/server/functions/getSomething
So what’s the use of _ApplicationId?
I don’t know exactly what for that parameter is, but as it is a public parameter it can not be considered as a security problem if it works without it
I’m using REST to get data from another moralis server inside cloud functions, so my app_id is never visible client-side. But yes, not the most secure if that key is compromised.
Just wanted to let you know, as using the app_id is mentioned very specifically in the docs, so you would expect it to do something 
you can add a separate security layer if you want with a specific key that you send as parameter and you can check it in that cloud function