The assumption is that you trust your authors, but I’m realizing that this isn’t a valid assumption for all sites.
There should be an option to set what user roles the Publish to Discourse meta box is displayed for. For example, it could only be displayed for editors and admins.
Another possible approach would be for the plugin to take a list of usernames/User API Keys and only publish to Discourse under those names.
There is a small change that could be made to the code so that when the SSO Client option is enabled, only users who had set their Discourse Username by logging in through Discourse would be able to publish posts.
Not if you enable the Do Not Display Discourse Name Field option.