Unrestricted cloud API key — 12 billable endpoints exposed, no referrer restriction

Found an API key embedded in client-side JavaScript of a delivery service. The key is completely unrestricted — no HTTP referrer check, no IP restriction — and works for 12 different billable cloud API endpoints (mapping, routing, geolocation, places, and more). Automated abuse could generate 100K+ per month in charges to the target GCP project. The key is associated with a known project ID that I confirmed via error message fingerprinting. I need help deciding whether to submit this as-is or whether the target program considers embedded map keys as intentionally public. Also looking for help writing the financial impact section.