If you download an app from the server and run it on your PC, for example, in Chrome, you can right-click and select “View Page Source.”
Then you’ll see the entire source code, including comments—and sensitive data.
Can this be prevented?
Is there a way to hide sensitive data?
There is no absolute way to do this, but you can make it harder by Obfuscation. Set this in Project Properties.
If you have code which you absolutely do not want end users to look at, it should be run on your server.
For example, if I query passwords for comparison via PHP script - is that secure?
If the password check happens on your server, using something like PHP, you should be OK. The master password file should not be accessed by your app on the device: that would create security issues.