PubKit will use Signed Requests (http sigs) for all requests, meaning as an instance admin, you will be able to block PubKit from being able to fetch activities from your instance if you desire.

This is a developer tool, and I will not tolerate abuse, so I will make it easy for admins to block!