All API requests require an OAuth token.
Only way to get an OAuth token is either in your backend server create an App Access token, or to have the user login to your site which would grant you an OAuth token to use. Since the former is not possible as you mentioned not having a backend, the latter is your only option.
It’s not needless security, it ensures Twitch know who is making API requests, and if necessary can take action against bad actors.