The new viewables:read scope is available on OAuth for 2-legged authentication and 3-legged authorization. It should replace the data:read scope when sending access token to the client. It limits the access to viewable data (e.g. SVF Viewables).
Check our update sample, update your SDK and migrate your app:
The best option still to use a proxy to secure your access token, as described in this blog post, which completely hide the access token from the client.