I don't work for Dark Sky and yes, just my opinion. But you can search the forum, this has been discussed several times.
Yes, ideally a client browser calls a server-side script (Keys stored in environment variables), which makes the calls to the API service, and returns only the result to the user's browser.
I guess the other option is for new learning students to setup their own server, run server side script, get their own SSLs, and really hide this "weather API" because it's so important. Other people may try to steal their API keys and they'll hit their 1000 limit pretty soon.