I know you are not trying to be annoying. I do get where you are trying to go and I would be concerned also.
I’m just showing you how Bubble handles the denial of creating a thing. If that is enough security it’s something you should evaluate.
In regards to your other questions I can’t give you a straight answer to that because any web technology is susceptible of being attacked.
What I can say is that the create a thing and its condition check are not ran on the client side. However if the condition is set to check a data element that is available on the client side it could be tampered with and someone could circumvent your security.
So make sure the condition check is not based on a custom state or anything that is not read directly and in the moment of check from the database.