We would like to store user metadata that a user can use to store their preferences i.e. Locale, Marketting Consent, etc, that they can modify at anytime they choose. Unfortunately from the documentation I cannot see a way to do this aside from using the management API, which isn’t suitable for a SPA.
If the requirement is to update user metadata only, it is possible to use the Management API in the SPA by using its API identifier as the the audience in the app and requesting the update:current_user_metadata scope. You can read about this here: Get Management API Access Tokens for Single-Page Applications
You are correct that it is recommended not to expose an Access Token with this scope if it ties to functionality/access in your app:
Auth0 does not recommend putting Management API Tokens on the frontend that allow users to change user metadata. This can allow users to manipulate their own metadata in a way that could be detrimental to the functioning of the applications. It also allows a customer to do a DoS attack against someone’s management API by just spamming it and hitting rate limits.
Alternatively, you can proxy the request in your own API. You would set up a machine-to-machine application for your API so that it could obtain an Access Token from the Management API using the client credentials grant.