Welcome to the Cesium community @poulinc!
The best guide to answer all these questions is the getting started guide here: https://cesium.com/docs/tutorials/getting-started/
For best practices regarding keeping your token secure, Matt has some good insight in this post: How to secure ION account
The takeaway here is that you shouldn’t share anything on the client that you don’t want the client to have access to. If someone takes your access token, they will not be able to do anything more than what they can do through your app (view the assets they have permission to, geocode etc.)
We do have a feature request for restricting token use by domain (https://github.com/CesiumGS/cesium-ion-community/issues/27) but this won’t be fullproof either.
I would suggest making sure you limit the permissions on the access token you use to only what’s needed and regularly rotating your token. For example, the access tokens that are shipped as part of CesiumJS are changed with each monthly release.