those are the cases that make it into the news when someone reports the insecurity of a API they found, and then gets accused for breaking into the website or database.

there are many reasons to prefer SSR over SPA, but covering up incompetence should not be one of them. designing an API is not hard.