Can CloudKit security rules be scoped to an application?

I'm building two apps. They both share a CloudKit container. One application is designed to edit the contents of the public database regardless of who a record's creator is. The other should only be allowed to read from the public database.

Since CloudKit is largely a client-side framework it's easy enough to enforce this client side.

Are there any additional guarantees that iCloud provides to enforce what the clients are signed to do? Or is there a risk of having some actor tamper with the public database that isn't using the editing application?

Can CloudKit security rules be scoped to an application?
 
 
Q