Scalability & security of a public node

Hi folks,
I’m working on an app that looks like this: I have a public node that connects to many in-browser nodes. The browser nodes connect to the “server node” by having this node in the browser nodes’ bootstrap list.

However, how scalable and secure is this?
Can anyone do anything malicious to a public node? How can I protect this node from any sort of attack?
Also, how scalable is having this 1:n architecture? How many clients can 1 ipfs node serve at 1 time? I’m currently running it with nginx to make it public.