That’s the case for most API authentication methods. It’s all about how secure you can keep the API key yourself. They are not insecure on their own.
Unfortunately, Roblox doesn’t provide any sort of secret vault solution so you have to resort to sub-par solutions like storing the keys in a datastores so it’s not plaintext.