Somebody who decompiles your APK can see those strings. If the data exists on the user's device, people can get at it, with varying degrees of difficulty. Also, note that this is not significantly different from any Web site ever created, as the entire HTML, CSS, and JavaScript that is delivered to the browser can be read.
You are welcome to invest in DexGuard to try to make it challenging for somebody to retrieve that JavaScript. Whether that is worth the time and expense is up to you to determine.