If the API key has some certain permissions I don't see any exploitation risk. In the end, Vue.js or any other HTML is basically a GUI for REST API. You should always limit your REST API operations on server-side and don't trust frontend validations. Power users are always able to access your sessions,cookies,tokens and can use them freely with API.