Rule of Thumb

Especially for single page applications (which are rendered on the client side):

Data from and within clients can't and shouldn't be trusted as a security measurement.

Always rely on proper permission management on the server side.

• the worst thing which can happen is that your client may see the "premium" menus.