SPA Applications access to audiences/API's

Hi,

Can you clarify something for me. If I define 10 API’s in auth0, one SPA application, and one M2M Application. The SPA application can access to all 10 API’s immediately (implicitly) where as the M2M cannot. Once you grant the M2M access to the API’s then it can.

If you want to separate access between customer API’s and backend API’s do you then have to use 2 separate Auth0 tenants? Since the client technically can change the audience to anything they want before being sent to auth0?