For what it’s worth, we have a workaround by passing the accessToken to the frontend.
I have a brief example code here: Next.js & External API without Proxying requests through Next.js backend
I’m just looking for some kind of official confirmation that this is safe to do.