If you expose the API key of a user that has admin access, either via embedded HTML on your website or in code on the frontend, anyone with the key can take over control of the data on your spreadsheets. Proceed with extreme caution when working with non-read access users.