If you are using external contract wallets to enable meta transactions you need to use whitelisting APIs to whitelist your user's contract wallet and target addresses in order to avoid misuse.

If user contract wallet address and target addresses are not whitelisted then a hacker could use your DApps API Key to send gasless transaction to any smart contract e.g. Uniswap contracts via his contract wallet that is not even registered on your DApp and you would end up paying gas fees for his transaction.