From what I understand, as long as the key is passed as a header inside the plugin editor, it’s secure. But if you’re storing the API key as a variable (which is exposed upon page load) or the API key is in the API URL you are calling (such as a parameter), then it would be exposed.
Here is a great Security 101 video that WeWeb published just a couple weeks ago that has more on this: Build secure web-apps with no-code tools - YouTube