Hey Lucas,
Are there any security reasons in particular that are making them not want to expose the experience’s API key?
To be clear, unless they are leveraging Consumer Auth to set up an authorized search experience that uses a secure token to query instead of the API key, that same experience API key is visible on the frontend every time a user makes a query, regardless of whether or not they leverage the autocomplete endpoint.
For more information on Consumer Auth, you can take a look at the Hitchhiker Module as well as this guide and this community post.
Best,
DJ