Always assume nothing in a coda doc is truly hidden/secure. If you need security, you need a different architecture using at least multiple (syncing) docs. Like a seperate front-end copy for each user or role and a back-end to sync to. But most likely you need a different tool or platform entirely.
And yes very unfortunate because coda is great in so many ways.