question

Does steam login actually require full legitimate ownership of the game in your account? Or just knowing the steam id of the game? I am asking just in case crackers can fake a steam login with the full game ID instead of the demo ID and cause playfab costs trough calling API or even maliciously spamming them. Can the Steam ticket string be faked?

Authentication - Login With Steam - REST API (PlayFab Client) | Microsoft Learn requires the SteamTicket, any Steam users can get it and use it to login. PlayFab only communicates with Steam to see if the ticket is valid.

Is there any login method that can require ownership of certain DLC? In this case we could, instead of the demo router, go trough the DLC route for the full version and integrate everything in the same App.

No, LoginWithSteam only requires a valid SteamTicket, PlayFab won’t check the ownership.

And at last: How could we go about handing a dedicated server to players that they can set up and make compatible with playfab (client API)? I read that servers use some sort of Anonymous steam login so there is no actual check for ownership going on, right? So in this case, if we enable playfab for dedicated servers we could again encounter hackers who did not buy the game causing costs in API calls.

Servers - PlayFab | Microsoft Learn is a session-based service, players can join a server through Matchmaking service or using API Multiplayer Server - Request Multiplayer Server - REST API (PlayFab Multiplayer) | Microsoft Learn to request a server directly. If you let paying users and free-to-play users use the same client version, then all issues above can happen. I would recommend that just provide the free-to-play users a client that doesn’t include any PlayFab service as you want ‘a free to play demo version without access to playfab’.