Yep - we’ve run into this with Script Blocks as well. Here’s how we engineered a workaround:
You need a proxy server to avoid sending the API key at all. Ideally, no one should be doing this anyway, so we envisioned a secure way to manage API keys in the background while avoiding asking users to enter anything.
The API call is replaced with a Google Apps Script server call that contains the Airtable user id plus a unique token embedded in each script block performing API calls.
The doGet() server hears the request from the Script Block and compares the token with the token on file and the Airtable user ID to verify it is a legitimate request.
The Google Apps Script then calls out to the API, performs its actions, and returns the results to the script block.
The users are thrilled, the interchange with the API is seamless, and it doesn’t expose API keys to any humans.