The short answer is, nothing stops the user from doing that as long as that query is within the privileges that were defined in your roles, but you can stop the user by writing User Defined Functions (UDFs) and only allowing these to be called.
If you are concerned about the security aspect of having a token in the browser, there are long forum posts on that topic that could help you further.