The API keys used with the SDKs are read-only and safe to use client-side. If you don't want to expose the list of features to end users, you can evaluate them using one of our server-side SDKs.
We also have a project coming up that adds an encryption option to the API endpoint -
https://github.com/growthbook/growthbook/pull/530 . If you use that client-side someone could still in theory inspect the source code and find your encryption key, so it's not perfect, but it will stop any casual users from finding your list of features.