Is there any security risk if the search api key is exposed?

No, since the search key is scoped to only the search end-point, it's meant to be exposed so that the search requests can be made directly from the browser.

Okay. Thank you for the info.