The thing is, all plugins run under unrestricted authority that is granted to PHP. Anything that you try to make private will require some sort of token to access it. Any token that is accessed by your plugin could also be accessed by another plugin. You can attempt to encrypt, obfuscate, hide, misdirect, etc. the means to get to the data, but if someone were so inclined, they could work through all of that through their own plugin and gain access. In most cases no one would make the effort, but the fact remains that the data cannot be truly protected from malicious code when it comes in through another plugin.
The most secure data is data not stored on a computer. There is no truly secure data, only degrees of difficulty to access.
]]>