What protection does the service have to prevent impersonation - i.e. if a user is aware of the ID of another user, what’s to stop them from calling the SDK and accessing their content?
Normally the app must authenticate the user before connecting that user ID with the SDK - so we suggest that the app should only pass user ID into the SDK only after the user has authenticated with your system.