Dumb question, api key for app? Protect project but allow app to read some docs without login?

I have my project set up, and I'm developing with Flutter. My app does not require users to log in to retrieve some general project data, but authentication is needed for other functionalities, data, docs, collections, etc. I understand that each document has its own access control levels, which is great. However, regarding the documents that the app can read without requiring login, the only options I see are "any" or "all guests".

If I set it to "any", the data is exposed to anyone worldwide, regardless of the client making the request (e.g., a simple curl command).
If I use "all guests", an anonymous session must be created (createAnonymousSession()) for it to work. Am I understanding this correctly?

Now, regarding the anonymous session, anyone could technically create an anonymous session and then access documents that are set to "all guests", correct?

My concern:

How can I protect my project so that both guests and authenticated users can read the documents/collections required for the app to function, but without allowing just anyone to create an anonymous session and access the documents outside of my app (e.g., via curl or a custom script)?

My goal:

I want to ensure that only my app can read the required documents/collections without the user having to log in, but no one outside my app should be able to access them.

Would creating an API key with the "Auth - sessions.write" permission be the solution? However, as I understand it, this would grant the entire app permission to create, update, and delete sessions for any user, right? That doesn't seem like the right approach for securing my project in the way I intend.

What would be the best way to achieve this?