security of IonSource

hi, Dear experts
I would like to inquire about the security of IonSource.
I often use HTTP, using the following code:

const resource = await Cesium.IonResource.fromAssetId(layer_id, {
server: access_server,
accessToken: access_token
});

When requesting, it is:
/v1/assets/{id}/endpoint? access_token=xxxx

I have the following doubts

  1. Isn’t it easy for others to get the access_token on the webpage? If someone else gets it, what’s the point? How to prevent this situation
  2. Passing/v1/assets/{id}/endpoint in HTTP will expose the entire URL. Is there any other method

Thank you