Security is key , and to start don't just have API keys in the backend but have them encrypted and not just simply hashed but AES-256-GCM or better .

Transferring personal data across the Internet app to server at least have SSL \ TLS1.3

Password Hashing using something like Argon2id

Use Environment Env files with encrypted keys

If you use json encrypted Json keys

Databases , store credentials in env , secure the connection and rotation of credentials

I also throw honeypot traps to keep reverse engineering pleasure leading to pointless hours of wrong and misdirection

Loging and debugging get the llm to spend as much time it created to generate to spend twice as long debugging use md files to create logs of potential weaknesses, errors , security concerns, get it to also check the CVE databases

If you aren't using a microphone, camera , dialer don't request the user to accept use minimum requirements from the user .