Rule of Thumb

Especially for single page applications (which are rendered on the client side):

Data from and (with)in clients can't and shouldn't be trusted as a security measurement.

Always rely on proper permission management on the server side

• the worst thing which can happen is that your client may see the "premium" menus