The main things you could take advantage of to prevent cheating in brainCloud would be:
Cloud-code - brainCloud supports server-side javascript-based scripts that we call cloud code. Obviously, any game logic that's on the server instead of the client is more secure. So for example, when posting scores, you could use a cloud-code script that performs a bunch of checks. Instead of merely posting the score directly, the script could take into account the level, the boosts the player had available (based on the data stored in their profile, etc) to decide whether the score is reasonable/possible before posting it. Limit operations like JoinTournament and especially PostTournamentScore to cloud code only. This essentially takes away the ability to make these calls from the bare client API. You can see a script that enforces these restrictions here - https://getbraincloud.com/apidocs/cloud-code-central/handy-cloud-code-scripts/restrictclientcalls-script/
Virtual Currencies & Receipt Validation - brainCloud can manage your virtual currencies server-side and perform receipt validation for you, so that when a user makes a purchase their virtual currency balances are updated automatically. This prevents users from attempting to manipulate these things client-side.
API Hooks - in addition to regular cloud code, you can actually attach cloud code scripts to API calls. These "hooks" get activated either before or after the API call itself is performed. This can be useful *after-the-fact* to plug an exploit that is discovered in the field (without a client update).