Yup (1 and 2), this should hopefully be available when nested filters becomes available at the end of the month (probably early next month).
(3) Your client api key should not be a big threat if you secure your app correctly. Even if you use it in a client side JS, a non-experience hacker could get a hold of it. You must make sure your security makes sense. Same principal for an app, although harder to hack.
(4) Spammers usually post, not query. The best security against queries is to not show lots of data unless a user is logged in. However, that is not always feasible for things like a blog etc. The only way I can think of securing this for the moment is to use Custom Lambda Queries for items that are available to non-logged in users. You would write your own security in the lambda. There are obviously limitations here. I would guess that a lot of apps are not protected from bulk queries unfortunately.
J