We are developing an app for the quest 2 and are considering what ID to use for the PlayFab login. We want the PlayFab account to be tied to the Oculus/Meta account so that the user could log in on a different device and still be able to access their in-game data. The easiest way would be to directly use the user's Oculus ID as the PlayFab login ID but we are not sure how easy this would be for a hacker to obtain.
My question is, if a hacker were to find out a user's PlayFab login ID, to what extent could the hacker affect that user's account? We are planning on setting up PlayFab so that most, if not all, of the player's data can only be changed by the server itself and is read only client side. However, we are still concerned that they would be able to "spoof" the user and make the same server requests that the user might in order to make changes to the data.
Thank you for your help!