A massive limitation of Parse.com is with their Javascript SDK - you have to expose your app keys to the client and the SDK doesn't work at all on any version of IE unless you have SSL enabled.
1) There are Access Control Lists which should help with that. Also, note that Parse gives you a Javascript key which is separate from your master key. Though I'm a longtime Parse user, I have not spent much time with the JS SDK on the client (as opposed to Cloud Code, where no keys are exposed), so I can't really say that this just "solves the problem."
2) Wouldn't any similarly-situated Javascript library face the same problems, with Access Control Lists probably being the most practical solution?
3) Moreover, with any mobile backend, you must assume that the keys that ship within the code of your native app will be public. So you should be using Access Control Lists if you're using the iOS SDK, for example.
A massive limitation of Parse.com is with their Javascript SDK - you have to expose your app keys to the client and the SDK doesn't work at all on any version of IE unless you have SSL enabled.