Angular canActivate Security

I've been thinking a lot lately about the security of the application I'm working on. The client side is built in Angular with a Rails API backend. From what I can gather, the general consensus is that if it's on the client, assume it might be compromised. So it surprises me when and if I should use something like canActivate

for a route, or if I should instead check for authorization every time on the server for route requests. I was thinking about putting an auth request to the server in canActivate

, but I'm guessing there canActivate

is a hack to respond true

without having to respond by the server? If so, something like canActivate

if it's just a glass door?