The use of an API Gateway is a standard practice for microservice routing, providing a centralized location that can field requests to the appropriate microservice based on the request path.
Broadleaf includes implementations of Spring Cloud Gateway for both the Unified Admin app and the Commerce app. These implementations filter the requests to the corresponding APIs and bypass CORS. Using a common gateway to bypass CORS implementations does not affect security of the API endpoints since the individual resource tiers are secured with Spring Security from different authorities.
Both Admin gateway and Commerce gateway are setup similarly, even though each is a separate instance of Spring Cloud Gateway. This is because they route to many of the same backend APIs for the different frontend applications.