User Profile

I'm building two apps. They both share a CloudKit container. One application is designed to edit the contents of the public database regardless of who a record's creator is. The other should only be allowed to read from the public database. Since CloudKit is largely a client-side framework it's easy enough to enforce this client side. Are there any additional guarantees that iCloud provides to enforce what the clients are signed to do? Or is there a risk of having some actor tamper with the public database that isn't using the editing application?

I'm building an app that will provide access to certain CloudKit records but gated by In-App Purchases. My idea is to store these records in CloudKit's public database and I want to know if this is a good idea or not. It seems straightforward enough to prevent the app itself from showing content the user hasn't paid for but the content itself isn't "truly" protected since it lives in CloudKit's public database. Does this seem like a bad idea? If is it, how bad of an idea is it 😅 I'm looking into this approach for costs and the easy of syncing CloudKit records to a Core Data store.