GraphQL API is exposed to open internet. If a malicious actor gained access by obtaining the API key, they would gain access to all customer data, being also able to delete or obfuscate it.

We are not interested to have this opportunity available globally, since they key is utilized only internally by OCP applications and other Optimizely products.