Note: This property key is not included in the production manifest and will evaluate to undefined. It is used internally only in the build process, because it contains API keys that some may want to keep private.
so where is it stored? is it accessible by inspecting the apk? how does react-native-maps access it?
In addition to what wkozyra said, you should restrict the API key so that Google will only allow requests from your Android app using that key. See this video for how that is done.