What you’re describing is correct. Anything that lives on the client (in the browser) can be tampered with. Yes, one would be able to change it’s own role and access ‘admin’ screens. However your back-end API should ALSO verify the authenticity of requests and return an appropriate (e.g. 401 unauthorized) response. The net effect is that the attacker will not be able to fetch any private information (in JSON), nor be able to make any changes.