It seems the Google Maps SDK is designed to be used from the client (on the device), but security comes from restrictions you apply from the Google Cloud Console:

You can say: "Only allow this key to be used if the call comes from an app with package name X and SHA-1 Y."

This way, even if someone sees your key, they won't be able to use it in their own app.