Is it OK to expose my Infura Project ID while connecting via web3js on the client side?

It is currently fine, we expect the Project ID to be used when sending requests from client facing applications and when being sent from private backend systems or servers.

The Project Secret provides another layer of security when sending API requests to Infura. It should only be used when sending requests from a private backend system or server as the Project Secret should never be human readable in your client facing application. There is currently no requirement to use the Project Secret. We will provide more information in future updates and release new documentation to show exactly how the Project Secret can be used when sending requests.

We are testing our new API authentication using both Project IDs and Project Secrets, we will update our developer community with results of the testing and the direction going forward for this authentication.