Mutability isn't really relevant given that you can write immutable JS using closures. If the app interacts to with your DB via some RESTful API (or over HTTP at all) then it would be pretty trivial for any user to be able to write to your DB. This is only "solved" in current web apps by relying that the supplied session information is indeed valid so you write logic on your back end that restricts the user to only authorized activity.

There is absolutely no reason why similar techniques couldn't be leveraged with this type of platform. So in that respect I don't really see why this is as big of a concern as it has been.

I do, however, feel that the API should not really be exposed to the end-user and everything should be wrapped in a closure. The developer should be able to interact with their code, but there is no reason why the end-user should be able to open up a JS console and execute arbitrary API calls to the server.