To answer the second question first -- yes, that is what would happen. When authenticated - you have a single quota shared between users. When unauthenticated - the quotas are "distributed" between users (based on IP address, I guess).
Regarding authenticated communication with GitHub's API from JavaScript -- yes, you would have to put the token (or username and password) into your script and make it public. Which you obviously do not want to do. The way you are "expected" to solve this problem is to have a server side. The JavaScript executing in the browser would communicate with your server (for which there is no rate limit and you can secure it however you want), and the server would communicate with GitHub's API and return the results to your JS script. Since nobody can see into your server's code, the credentials for authenticating are not public.