How do you protect unauthorised API usage with stolen appId?

If the application id is publically available, how do you/I prevent someone from scraping the appId and server URL, then initialising their app with my details and calling the web3API from the SDK?

Could a bad actor scrape a bunch of appIds, initialise their app with one of them, max out the web3api requests, then reinitialise the app with another appid and max out those web3api requests and so on? Could be frustrating for a paid user.

Hi, there is a rate limit that you can set in cloud code for how many requests to web3api can be made: