You are correct regarding the security implications. This is how many Airtable apps deal with api keys.
I believe that Airtable does this because they do not want to give people a false sense of security. They purposely create this weak link in the chain because there is another weak link in the chain that isn’t as obvious. I am not agreeing with this decision, only stating why I think it was made.