Best practices for disallowing unwanted client calls to the server

Hello Heroic Labs!
I am nearing shipping my first multiplayer game using Nakama, and I wonder if you had advice on best practices for making the server more resilient. For example, this is the complete list of all the server calls my client makes. Is there a way to tell the server “ignore any other client call” that a curious or malicious player/hacker might make?

client.authenticate_steam_async
client.authenticate_game_center_async
client.authenticate_google_async
client.session_logout_async
client.get_account_async
client.update_account_async (to update displayname if it changes on the platform account)
client.list_groups_async
client.list_user_groups_async
socket.connect_async
socket.rpc_async (with several different rpcs)

For example, right now anyone could successfully call create device authenticated account without any trouble. I think I know how to disallow that specific one, but I’m not sure what else I might be overlooking - clients creating friends lists, clients creating groups, etc.

Advice on this and anything else I might be overlooking regarding best practices for hardening the server before shipping is very much appreciated.
Thanks, Matt