Maybe I didn't understand correctly but I read the following line in de "developing" section of the README:

Note env's are prefixed with GRIDSOME_ to make them available to apollo client side

If I made the right deduction from this note this means the shopify token is exposed client side, so to the browser. If that is true, wouldn't you then expose your credentials for the shopify API? Or would you handle this risk by assigning the right scopes to the token?

I would gladly learn what the recommended approach would be for this and it might be interesting to add it to the README as well. Great starter by the way!

Yes, it is safe to expose the Storefront token client side. Basically, that token only enables read-only permissions to public data, no admin actions can be performed.

I suggest reading about this in the Shopify docs - https://shopify.dev/docs/storefront-api/getting-started - that should help clarify.