The rate limit is per user so requests from that User Access Token wont impact the rate limit of your other users. If the user opens up multiple instances of your app though they’ll potentially be using up their own rate limit faster.
The Twitch Developer Agreement states:
So you are responsible for the keys, but if you take reasonable precautions to prevent misuse (such as not making displaying them to the user, or making them available outside of your app), and your app isn’t designed with malicious intent, then it is unlikely Twitch would take action against you (please keep in mind I’m not a legal expert, nor do I speak for Twitch).
OAuth Tokens being used client-side always have an inherent risk, but that’s partly why they do expire, and individual tokens can be revoked if needed, and this is something that all apps that do client-side requests have to deal with, not just Twitch apps but other services that use OAuth Implicit Tokens too.
Client ID is public, as any user going through an OAuth flow, regardless of the type, or if it’s on a website or in an app, can see the apps Client ID in the URL. It’s impossible to get User Access Tokens without exposing it. It’s not something you need to be concerned about.