Scalability & security of a public node

Hi folks,
Iā€™m working on an app that looks like this: I have a public node that connects to many in-browser nodes. The browser nodes connect to the ā€œserver nodeā€ by having this node in the browser nodesā€™ bootstrap list.

However, how scalable and secure is this?
Can anyone do anything malicious to a public node? How can I protect this node from any sort of attack?
Also, how scalable is having this 1:n architecture? How many clients can 1 ipfs node serve at 1 time? Iā€™m currently running it with nginx to make it public.

Cheers