What do you mean by completely secure SPA? It’s a static site that you can host on AWS or any CDN meaning that no matter what a user will be able to access those files.
That being said, a user will NOT have access to your API. They can load the /account page, but that doesn’t mean they will see any info.
Does that make sense?