We have always been API first rather than SDK first.

Never really thought too much about the security implications but that is of course a benefit too.

Main reasoning for us has been to aim for a really nice HTTP API rather than hide uglyness with an SDK on top.