Definitely an interesting question. With a lot of security matters we need to consider what we are trying to protect and how important it is that we protect it (i.e. hiring a team of trained guards to protect millions of dollars worth of jewels, versus hiring the same team to protect your lunch in the work fridge).
So I think it is interesting to consider how important it is to protect the Google API key. Obviously the concern here is that someone takes your key and starts using up your quota, potentially costing you money. I’ve never run into this situation so I’m not sure how it would play out. Does the Google Maps API monitor/block suspicious traffic? Since people can get their own key for free anyway, is it worth the effort to steal someone else’s (except for in cases where they want to do something malicious/use a very high amount of requests - in which case, would Google block these requests anyway?).
I’m not trying to speak authoritatively here, these are just questions to consider. In terms of protecting a Google Maps API key for the JS SDK when running in a hybrid app, the only way I can think of right now that would have any significant impact is to use a plugin to spoof the referrer so that to Google it looks like the request is coming from yourdomain.com, and then restrict your API key to that referrer. I don’t know if this would actually work (I’ve never tried it), or whether it would break any of Googles terms of service. I believe people would still be able to use your key anyway by also spoofing the referrer on their end to match, but it would greatly restrict the ways in which they could use that key.
In my opinion, it seems like this is an issue that would rarely ever be an issue. The biggest concern is that now since you have to associate payment with your account, you run the risk of breaching the free threshold and running an absurdly high bill. Again, I don’t know if Google would just detect this automatically and block it. If there is a way to limit the max amount you pay for the API, that could also help to stop any nasty surprises.
I’d be very interested to hear from people who know some of the specifics of how the API deals with stuff like this. It seems to me that even if you are running Google Maps on a website, and restrict the referrer to your domain, someone who doesn’t like you very much could still take that API key, spoof the referrer header, and spam requests to the API (which is why I assume Google would have some smarts around this).