When security is turned on for your account, any request to the Filepicker.io API (be it a pick, read, etc.) is denied unless it has an appropriate policy and secret.
To prevent people from copying your policies and using them maliciously, you should set an appropriately short expiry time to make this difficult, and use some level of exponential backoff or similar on your end to ensure one person isn't continually generating new policies from your server.