question

PlayFab is a Web API based system, so you always do need to assume that any endpoint could be called by a hacked client in ways your game doesn't. In terms of spawning servers, first, I would recommend not leaving Client->StartGame on, unless you absolutely have to. That leaves only Matchmake as the way to get a slot in a game. That API call (which the client is rate-limited on, they can't call it frequently) finds the first available slot in a game session that matches the parameters (region, game mode, etc.) and assigns it to the player temporarily, so that they can connect to it. Only if there are no slots in any game session matching the parameters given would a new server instance be started. And it's important to note that this is a server instance - not a server host (the actual machine running the instances).

So while a user could be abusive and call Matchmake in ways you don't intend, they would be limited in how they do so, unless they use a distributed attack (which is outside the scope of what we're discussing here), and it would be relatively easy for you to spot them, and so ban their account from your game.

If you want to be even more secure though, you can turn off the Matchmake call as well, and create your own matchmaking server using our Matchmaker API.

And, of course, we'll be continuing to add to the service, to provide you with more ways to track on user behavior, as well as additional ways to secure your titles.