JavaScript is in plain view to the user with by selecting view source of the page. JavaScript can not
access the local filesystem without the user's permission. An AJAX interaction can only be made with
the servers-side component from which the page was loaded. A proxy pattern could be used for AJAX
interactions with external services.
You need to be careful not to expose your application model in such as way that your server-side
components are at risk if a nefarious user to reverse engineer your application. As with any other web
application, consider using HTTPS to secure the connection when confidential information is being exchanged.