API keys are most successful when they're issued for server-side use; when used client-side the usual pattern that I see is for individual clients to request their own API key?
In this case, it would need to be distributed to myriad users who legitimately need to ask for the lists and then could be scraped by the "attacker", but at least then they'd have to be knowingly malicious vs. accidentally malicious.
You generally add a small "cost" to request an API key. For example submit your email to this form and wait a day.
Then browser makes like this will not reasonable be able to request a new key automatically for every install. So they will just request one and ship it.
Then when you get abuse like this you can disable it.
In this case, it would need to be distributed to myriad users who legitimately need to ask for the lists and then could be scraped by the "attacker", but at least then they'd have to be knowingly malicious vs. accidentally malicious.