Quick answer: Construct 3 project's Photon AppId committed to source control? AppIds embedded in project files are exposed via repo - move to environment variable or runtime config.
Public GitHub fork of an indie game includes the original Photon AppId; the fork's traffic counts against the original quota.
Load at runtime
Read AppId from a config file gitignored in source control. Build script injects production AppId.
Use environment-specific files
config.dev.json, config.prod.json. Each environment loads its file; AppIds never live in shared source.
Rotate exposed IDs
If an AppId was committed, rotate it at Photon. Old quota gets reset; future leaks limited to new ID.
“Secrets in repos travel with the repo. Forks inherit; quotas suffer.”
Treat any string the game uses to authenticate as a secret. Document the convention in CONTRIBUTING.md; new contributors don't repeat the mistake.