Then you're comparing server-side apps to client-side ones. And imo the attack surface of managing a SSR webapp is fairly minimal - especially when you're already responsible for providing an API to the public. My point was more that API-first doesn't prevent you from doing server-side rendering and there are benefits to doing so.