0๐
However, in my client-app these pages contain forms with database structures (e.g. an add form), since the bundled js gets served, any user can see this page in the bundled js
Yes but why is this a problem ? Assuming your forms are Vue components, whole template is compiled into Javascript. You can take a look at the production build bundle yourself and ask yourself whether you can gather any useful info just by reading it (and you know the source code!)
Just protect the vue-router routes with same role-based system you use for API (using meta fields for example) so no non-admin user can access the routes.
Plus you can make this routes lazy loaded. Which means the code rendering them will be downloaded by the browser only for admin users. This is a good idea anyway as your app will be smaller and faster for most users (assuming most users are not admins)