I completely disagree with any attempt to merge the front end with the back end by obscuring the boundary. It's a horrible idea and leads to security vulnerabilities.
The front end is a public resource, the back end is a private resource whose access needs to be controlled according to clear and consistent rules and with proper authentication checks.
There’s usually no problem with security in thin hypermedia apps. Backend still has full control over access, you just have an extra step of actually rendering the view with the model you’d otherwise return via API.
The front end is a public resource, the back end is a private resource whose access needs to be controlled according to clear and consistent rules and with proper authentication checks.