I am using supabase with sveltekit (on Cloudflare Pages). I was wondering if the supabse queries/auth should go into the routes-script tag or the endpoints (which I believe only run in the backend). All examples seem to use the script tags, but as the script tags run in the frontend as well - i was worried about security