I have read some of post from this forum and have asked some questions, I understood that client API calls needs developer secret. The secret saved in somewhere playfab server. And playfab SDK make the secret connection automatically so that the client API call became safe. Cheaters also can't access it and can't call client APIs to get reward or profit.
If that's true, isn't there no reason to use cloud script for call server API? Because client API is safe enough by that secret. Is it ok to not block the client api at API access policy? I think Im over worriying about the security.
Please teach me my knowledge about playfab is right. Thanks.