Comment by loopdoend

Yep this happened to me too and I came to exactly the same conclusions.

We have a list of completely separate “API domains” that our scripts talk to and which also host the cloudfront CDN.

We also cohort our customers by Sift score and keep trusted enterprise customers away from endpoints given to new signups. This way if someone new does something sketchy to get you flagged it won’t affect your core paying customers.