There are few things here.
First, downloadable files: In your production deployment, all of these files will be merged, minimized, and confused by the BoilerplateJS optimizer. In any case, all your code will be in one script in production, this is normal in AMD JavaScript applications.
Although the code has been downloaded, the individual components will not be displayed until they receive an activation call from the front controller. Your module will register the user interface components at the initial application loading time, but the actual creation of the user interface component occurs only in the "activate" function of your component. This will accelerate the loading of the application, and the creation of the user interface component will occur only on demand.
You should never depend on client-side authorization in the application. All your JS code will go to the client browser and can be changed. But for the convenience of the user, you can hide the operation, which is not valid for the user. Where to do this depends on the granularity of the control. If you want it at the component level, you can do this in the navigation menu itself.