If user contract wallet address and target addresses are not whitelisted then a hacker could use your DApps API Key to send gasless transaction to any smart contract e.g. Uniswap contracts via his contract wallet that is not even registered on your DApp and you would end up paying gas fees for his transaction.