Hey, Marcin. I did some research about your concern. In essence, it is safe to assume that any of the client-side code can be modified as it publicly accessible. As mentioned in the post, the client-side routing is implemented for UX purposes and not for security purposes.
We should not see the client-side router as a mechanism to securely gate content but rather as a tool for navigation and information presentation.
You secure data in a SPA by putting it behind an API that is protected by an access token. Any content you deploy with your SPA will be visible to anonymous users who can find it using the browser dev tools or by viewing its source. I checked with the team and we determined that the ability to change the value of the Auth0Provider is not a security bug.
If you decide to keep the React DevTools on for production and a user manipulates the state of the provider, then whenever they make their way into pages that would show protected information, they should see error messages or blanks.