Is user_metadata secure to use?

Hi guys, I'm wondering how user_metadata is secure to use? As the client can change it theirselves with executing this code on the client. Authenticated users can just change their e-mail etc right? I understand its secured for others, due to the token etc.