Спасибо комментатору выше, вот пара абзацев из статей задевающих эту тему (может кому интересно будет):
Enforcing the routing policy client-side
Warning: I want to stress the importance of securing your server-side API once-again. The routing policy we're "enforcing" client-side is very easy to get around using Chrome Developer Tools or Firebug. The technique I'm describing is used as a way of tailoring your views and giving a better user experience, but malicious users can still change their user role and get access to client-side routes that should be restricted to them. This is not a problem as long as any sensitive data is accessed via your server-side API, and the proper authentication/authorization strategy is implemented there.
СтатьяAccess control
Authorization a.k.a. access control in AngularJS doesn’t really exist. Since we’re talking about a client-side application, all of the source code is in the client’s hands. There’s nothing preventing the user from tampering with that code to gain ‘access’ to certain views and interface elements. All we can really do is visibility control. If you need real authorization you’ll have to do it server-side, but that’s beyond the scope of this article.
Статья 