Web client security

@David-St-Louis-0
On my last question, can you restrict API calls to only be from a specific web domain or mobile app is? Google Api's allowed to restrict calls to firebase to be specifically from an web domain, or the specific app ID's.
Another way to ask it, is there any way to restrict API calls to from a specific location?
Thanks again,
-Chad

All-
Can anyone please help me understand on the Javascript library, where/how are the profileId and anonymousId stored so to be secure? The wrapper sounds like it is JavaScript and doesn't have any native code, is that correct? My app is a hybrid web app using Capacitor/Cordova.
Is there a Cordova/Capacitor plugin for Braincloud? I was not able to find one.
Also, am I correct in saying that when I have a game configured for Android that the Braincloud API's will restrict access to that specific appId/Package Name? The closest example I can give to explain what I am meaning is in Firebase, you can restrict those API calls in the Google APIs so that only apps with the AppId/Package Name can reach your Firebase API.
Thanks in advance,
-Chad

Hey folks,
I am trying to figure out whether BrainCloud would be a good fit for an RPG game I am making. I have some questions.

1. Would Braincloud handle RPG style games well? Multiple characters, character inventory, stats, multiple classes, skills, Powers, etc? How would you track them?
2. Where is profileId and anonymousId stored, and is it stored securely with the web SDK on mobile devices?
3. How would I track IAP items per character as well as currency, etc?
4. What happens if a player is playing offline (no internet)? Will braincloud hold all changes until they connect? Is there a limit to how many calls that will be 'held?'
5. Any other helpful tidbits?
   Thanks in advance,
   -Chad