Yes, you are right. If you have not created ACL enable app and somebody have access to your app keys then he/she can change everything like update user data, save new data, delete user etc. To your other queries, please find my answer inline and let me know if it helps:
PUBLIC READ: It means the document or file which you ar going to save in App42 database, will have default access of PUBLIC Read. However, if you set the ACL object in service instance before making a request on App42 server then it will work according to that ACL object.
PUBLIC WRITE/ALL: Both as functional are same, users who have PUBLIC WRITE access on a particular file or document, can make both operations read and write.
Here PUBLIC is a generic term which means all app users can access the data. If you want to restrict the permission then you can set the ACL object. For more detail, please have a look at this link and let us know if it helps.
P.S For any potentials programmer, it's not a tough job to get the app code and credentials. There are online tools available through anyone can decompile the app file and see the app code & credentials.