Google AI Studio's Build Mode hides API keys behind a proxy during deployment, which the docs imply is secure. But the proxy forwards arbitrary requests to any Gemini model with zero auth, quota or validation, using the real API schema, even for apps with no AI features. Deployment URLs are discoverable by searching the URL scheme. This was reported to Google in late November and classified as a documentation issue.

Google is moving fast.

We complained they rested on their laurels. Now they're moving at startup speed, beyond "move fast, break things".

They'll win by doing this.