The application ID’s used for our sample applications are monitored and it would be very apparent if someone where to attempt to use it to build an application. Additionally, should we notice it being abused it would be easy to revoke the application ID preventing anyone from using it going forward.
As to your second question, I can’t speak to the specific reasoning, as I’m not involved in those decisions. My thought would be its designed in a way to get people up and running with the SDK as soon as possible. Most applications start out as trials and thus we want users to be able to implement the API without much trouble. As you progress with setting up your application, then it makes sense to then begin ensuring the application is secure. In most instances, you do this in multiple parts. One of those parts could be implementing authentication in your application, and another part would be ensuring that you’re generating access/session tokens via the platform API and denying login to any application that is accompanied by that token.
Let me know if you have any additional questions.