Is there security implemented to ensure that bad actors can't access my organization via the command line API?
Yes, we have partnered with one of the top products in the industry and offer protections like brute-force protection, bot detection, and suspicious IP throttling to name a few. Our authentication/authorization code always checks that the actor trying to access the data of an organization has access to that organization.
As a developer at a partner, how do I spin up a sandbox of a product to create a demo for a potential customer?
If your partner organization has a Sitecore Cloud Portal account with an XM subscription, you will be able to spin up a non-production instance of XM Cloud for demo purposes. It is on our roadmap to provide this similar capability as we onboard additional products into Sitecore Cloud Portal.