How is breeze.js handling security and avoiding exposing business logic

Question

We are considering breeze js to build enterprise applications.

The awesomeness of breeze is that we can execute queries right from the client browser. This allows to

Answer 1

would like to add that you can restrict users that are not authorized from quering by using the attributes in webapi if you get 401 code back from the server just popup a login screen and redo the work needed after the user is logged in

so a user may try to get data about an order but he won't get it unless he is authorized to do so