Here's a couple of things for you to consider off the top of my head:
It's possible to set up an account type that only allows viewing of zones (or other entity types needed for your process) rather than using an administrator account. The security is implemented so that it should not allow interaction with other entity types even through the API. You could use this account to get the data from MyGeotab to ensure that no data can be edited or deleted by users of your service.
Another thing you may consider if security is important, you could wrap the api requests in some kind of server side web service where all communication happens with MyGeotab. In this way you would not be exposing either the login details or session id to a non secure environment. This would have some performance overhead of course.