It’s simple to get api keys. You can just make it a little harder to get them. That’s why firebase configuration file with urls and api keys is contained in plain json making it so easy to get them after decompilation. Only server side rules can guarantee security with hashing function and hash integrity is checked on server.
I know nothing about airtables security layer. But if the security depends on the api key which is contained in the source code it’s not secure at all.