Security question

I have built an app that uses both row owners and roles.
Up til now, I have created all of the users through the data editor.
One of the users, who I have given an ‘admin’ role to, has asked for the ability to create users through the app (he will need to assign each of them an assortment of roles). My understanding is that I will have to do this either through Zapier/Make or by using Call API/Glide API.

My question is the following:

If I create a form with the ability to create users and then use visibility controls to only allow this ‘admin’ user the ability to see/use this form, is it secure?

Since all of the app’s functionality is loaded into the browser and this functionality is just hidden with a visibilty control, would it be possible for someone who has access to the app (but not admin privileges) to be able to create a another user for himself (maybe even one with admin privileges) by inspecting the browser code?

From what I know, I would say that’s a no. The component to call the form doesn’t load into the browser unless the user is validated to be able to see it, and I don’t think you can reverse engineered to add a button that does the same action when you don’t have that access.

OK. Great. Thanks.